-
kettlecommand- set up a rust project
- set up clap
- format help output
-
kettle verifycommand- import verify code from attestation-rs
- fetch AMD cert chain, check signature
- parse provenance.json files for cargo and nix
- validate attestation checksum matches provenance.json checksum
- print tables of build info and verification results
- print AMD cert chain verify result
- print VCEK verify result
- print sev-snp report verify result
- print report data checksum verify result
- print provenance checksum verify result
- verify artifacts against provenance.json checksums
- print launch measurements, guest_svn, policy, version, and vmpl
- print git commit sha
- print detailed error message after table with expected and actual checksums
-
kettle buildcommand- collect provenance data
- collect git repo data commit_hash, tree_hash, git_binary_hash, repository_url
- handle cargo build
- collect lockfile hash
- collect rustc + cargo binary info (path, hash, version)
- run
cargo build --locked --release - collect exectutables from target/release/* (path, hash, name)
- handle nix build
- collect lockfile hash
- collect nix binary info (path, hash, version)
- run
nix build - collect exectutable info (path, hash, name)
- generate provenance.json file
- collect provenance data
-
kettle attestcommand- generate attestation from provenance and build result
- hash provenance for checksum
- call attest with custom data of provenance checksum
- write the results into
evidence.json
- generate attestation from provenance and build result
- toolchain for python packages
- toolchain for go binaries
-
kettle verify-sourceBUILD_PATH SOURCE_PATH
# verifies that SOURCE_PATH was used to create BUILD_PATH- verify git commit against provenance
- verify lockfile against provenance
- verify entire merkle tree against provenance