feat: add a -workflow-input option (#216)

* update

cli/slsa-verifier/main.go

@@ -8,11 +8,17 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"strings"
 
+	serrors "github.com/slsa-framework/slsa-verifier/errors"
 	"github.com/slsa-framework/slsa-verifier/options"
 	"github.com/slsa-framework/slsa-verifier/verifiers"
 )
 
+type workflowInputs struct {
+	kv map[string]string
+}
+
 var (
 	provenancePath  string
 	builderID       string
@@ -21,13 +27,31 @@ var (
 	branch          string
 	tag             string
 	versiontag      string
+	inputs          workflowInputs
 	printProvenance bool
 )
 
 func experimentalEnabled() bool {
 	return os.Getenv("SLSA_VERIFIER_EXPERIMENTAL") == "1"
 }
 
+func (i *workflowInputs) String() string {
+	return fmt.Sprintf("%v", i.kv)
+}
+
+func (i *workflowInputs) Set(value string) error {
+	l := strings.Split(value, "=")
+	if len(l) != 2 {
+		return fmt.Errorf("%w: expected 'key=value' format, got '%s'", serrors.ErrorInvalidFormat, value)
+	}
+	i.kv[l[0]] = l[1]
+	return nil
+}
+
+func (i *workflowInputs) AsMap() map[string]string {
+	return i.kv
+}
+
 func main() {
 	if experimentalEnabled() {
 		flag.StringVar(&builderID, "builder-id", "", "EXPERIMENTAL: the unique builder ID who created the provenance")
@@ -42,6 +66,9 @@ func main() {
 		"[optional] expected version the binary was compiled from. Uses semantic version to match the tag")
 	flag.BoolVar(&printProvenance, "print-provenance", false,
 		"print the verified provenance to std out")
+	inputs.kv = make(map[string]string)
+	flag.Var(&inputs, "workflow-input",
+		"[optional] a workflow input provided by a user at trigger time in the format 'key=value'. (Only for 'workflow_dispatch' events).")
 	flag.Parse()
 
 	if provenancePath == "" || artifactPath == "" || source == "" {
@@ -71,7 +98,7 @@ func main() {
 	}
 
 	verifiedProvenance, _, err := runVerify(artifactPath, provenancePath, source,
-		pbranch, pbuilderID, ptag, pversiontag)
+		pbranch, pbuilderID, ptag, pversiontag, inputs.AsMap())
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "FAILED: SLSA verification failed: %v\n", err)
 		os.Exit(2)
@@ -95,7 +122,7 @@ func isFlagPassed(name string) bool {
 }
 
 func runVerify(artifactPath, provenancePath, source string,
-	branch, builderID, ptag, pversiontag *string,
+	branch, builderID, ptag, pversiontag *string, inputs map[string]string,
 ) ([]byte, string, error) {
 	f, err := os.Open(artifactPath)
 	if err != nil {
@@ -115,11 +142,12 @@ func runVerify(artifactPath, provenancePath, source string,
 	artifactHash := hex.EncodeToString(h.Sum(nil))
 
 	provenanceOpts := &options.ProvenanceOpts{
-		ExpectedSourceURI:    source,
-		ExpectedBranch:       branch,
-		ExpectedDigest:       artifactHash,
-		ExpectedVersionedTag: pversiontag,
-		ExpectedTag:          ptag,
+		ExpectedSourceURI:      source,
+		ExpectedBranch:         branch,
+		ExpectedDigest:         artifactHash,
+		ExpectedVersionedTag:   pversiontag,
+		ExpectedTag:            ptag,
+		ExpectedWorkflowInputs: inputs,
 	}
 
 	builderOpts := &options.BuilderOpts{

cli/slsa-verifier/main_test.go

@@ -44,6 +44,7 @@ func Test_runVerify(t *testing.T) {
 		pversiontag *string
 		pbuilderID  *string
 		builderID   string
+		inputs      map[string]string
 		err         error
 		// noversion is a special case where we are not testing all builder versions
 		// for example, testdata for the builder at head in trusted repo workflows
@@ -383,7 +384,7 @@ func Test_runVerify(t *testing.T) {
 			err:       serrors.ErrorNoValidRekorEntries,
 			noversion: true,
 		},
-		// annotated tags.
+		// Annotated tags.
 		{
 			name:        "annotated tag",
 			artifact:    "annotated-tag",
@@ -400,6 +401,42 @@ func Test_runVerify(t *testing.T) {
 			err:         serrors.ErrorMismatchBranch,
 			noversion:   true,
 		},
+		// Workflow inputs.
+		{
+			name:     "workflow inputs match",
+			artifact: "workflow-inputs",
+			source:   "github.com/laurentsimon/slsa-on-github-test",
+			inputs: map[string]string{
+				"release_version": "v1.2.3",
+				"some_bool":       "true",
+				"some_integer":    "123",
+			},
+			noversion: true,
+		},
+		{
+			name:     "workflow inputs missing field",
+			artifact: "workflow-inputs",
+			source:   "github.com/laurentsimon/slsa-on-github-test",
+			inputs: map[string]string{
+				"release_version": "v1.2.3",
+				"some_bool":       "true",
+				"missing_field":   "123",
+			},
+			err:       serrors.ErrorMismatchWorkflowInputs,
+			noversion: true,
+		},
+		{
+			name:     "workflow inputs mismatch",
+			artifact: "workflow-inputs",
+			source:   "github.com/laurentsimon/slsa-on-github-test",
+			inputs: map[string]string{
+				"release_version": "v1.2.3",
+				"some_bool":       "true",
+				"some_integer":    "321",
+			},
+			err:       serrors.ErrorMismatchWorkflowInputs,
+			noversion: true,
+		},
 		// Regression test of sharded UUID.
 		{
 			name:      "regression: sharded uuids",
@@ -458,7 +495,7 @@ func Test_runVerify(t *testing.T) {
 				_, builderID, err := runVerify(artifactPath,
 					provenancePath,
 					tt.source, tt.pbranch, tt.pbuilderID,
-					tt.ptag, tt.pversiontag)
+					tt.ptag, tt.pversiontag, tt.inputs)
 
 				if !errCmp(err, tt.err) {
 					t.Errorf(cmp.Diff(err, tt.err, cmpopts.EquateErrors()))

cli/slsa-verifier/testdata/workflow-inputs

@@ -0,0 +1 @@
+artifact1

cli/slsa-verifier/testdata/workflow-inputs.intoto.jsonl

@@ -0,0 +1 @@
+{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJhcnRpZmFjdDEiLCJkaWdlc3QiOnsic2hhMjU2IjoiNDgyY2U4YzhmN2U4NjdkYTNhM2MwNWE5YWVlNjM3NzAzZTE3NDcwZWQxY2Y4ODJhOWU1YjQwNWU4ZjgyNjE5ZCJ9fSx7Im5hbWUiOiJhcnRpZmFjdDIiLCJkaWdlc3QiOnsic2hhMjU2IjoiODljZmM2OTU0ZTg4YjJmOTJhN2MyODc5ZDllYjA4NWM0MmYzYzcwNjVkMDEyYTUwNjZmNDUwZGJlNTliMmMwMCJ9fV0sInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL3Nsc2EtZ2l0aHViLWdlbmVyYXRvci8uZ2l0aHViL3dvcmtmbG93cy9nZW5lcmF0b3JfZ2VuZXJpY19zbHNhMy55bWxAcmVmcy90YWdzL3YxLjIuMCJ9LCJidWlsZFR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yQHYxIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnsidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdEByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsic2hhMSI6IjQ2NmMxMTNlZDNkNWFjNzU2ODE3NGQ0YjZhZDZiYjZhODBlMTUzYjIifSwiZW50cnlQb2ludCI6Ii5naXRodWIvd29ya2Zsb3dzL3Nsc2EtZ2VuZXJpYy55bWwifSwicGFyYW1ldGVycyI6eyJldmVudF9pbnB1dHMiOnsicmVsZWFzZV92ZXJzaW9uIjoidjEuMi4zIiwic29tZV9ib29sIjoidHJ1ZSIsInNvbWVfaW50ZWdlciI6IjEyMyJ9fSwiZW52aXJvbm1lbnQiOnsiZ2l0aHViX2FjdG9yIjoibGF1cmVudHNpbW9uIiwiZ2l0aHViX2FjdG9yX2lkIjoiNjQ1MDUwOTkiLCJnaXRodWJfYmFzZV9yZWYiOiIiLCJnaXRodWJfZXZlbnRfbmFtZSI6IndvcmtmbG93X2Rpc3BhdGNoIiwiZ2l0aHViX2V2ZW50X3BheWxvYWQiOnsiaW5wdXRzIjp7InJlbGVhc2VfdmVyc2lvbiI6InYxLjIuMyIsInNvbWVfYm9vbCI6InRydWUiLCJzb21lX2ludGVnZXIiOiIxMjMifSwicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6eyJhbGxvd19mb3JraW5nIjp0cnVlLCJhcmNoaXZlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3Qve2FyY2hpdmVfZm9ybWF0fXsvcmVmfSIsImFyY2hpdmVkIjpmYWxzZSwiYXNzaWduZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QvYXNzaWduZWVzey91c2VyfSIsImJsb2JzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QvZ2l0L2Jsb2Jzey9zaGF9IiwiYnJhbmNoZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC9icmFuY2hlc3svYnJhbmNofSIsImNsb25lX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC5naXQiLCJjb2xsYWJvcmF0b3JzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QvY29sbGFib3JhdG9yc3svY29sbGFib3JhdG9yfSIsImNvbW1lbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QvY29tbWVudHN7L251bWJlcn0iLCJjb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QvY29tbWl0c3svc2hhfSIsImNvbXBhcmVfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC9jb21wYXJlL3tiYXNlfS4uLntoZWFkfSIsImNvbnRlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QvY29udGVudHMveytwYXRofSIsImNvbnRyaWJ1dG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0L2NvbnRyaWJ1dG9ycyIsImNyZWF0ZWRfYXQiOiIyMDIyLTAyLTA1VDAxOjEwOjQ2WiIsImRlZmF1bHRfYnJhbmNoIjoibWFpbiIsImRlcGxveW1lbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QvZGVwbG95bWVudHMiLCJkZXNjcmlwdGlvbiI6IlRlc3QgZm9yIFNMU0EiLCJkaXNhYmxlZCI6ZmFsc2UsImRvd25sb2Fkc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0L2Rvd25sb2FkcyIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0L2V2ZW50cyIsImZvcmsiOmZhbHNlLCJmb3JrcyI6MSwiZm9ya3NfY291bnQiOjEsImZvcmtzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QvZm9ya3MiLCJmdWxsX25hbWUiOiJsYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdCIsImdpdF9jb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QvZ2l0L2NvbW1pdHN7L3NoYX0iLCJnaXRfcmVmc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0L2dpdC9yZWZzey9zaGF9IiwiZ2l0X3RhZ3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC9naXQvdGFnc3svc2hhfSIsImdpdF91cmwiOiJnaXQ6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0LmdpdCIsImhhc19kb3dubG9hZHMiOnRydWUsImhhc19pc3N1ZXMiOnRydWUsImhhc19wYWdlcyI6ZmFsc2UsImhhc19wcm9qZWN0cyI6dHJ1ZSwiaGFzX3dpa2kiOnRydWUsImhvbWVwYWdlIjpudWxsLCJob29rc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0L2hvb2tzIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QiLCJpZCI6NDU1NzQzMzk2LCJpc190ZW1wbGF0ZSI6ZmFsc2UsImlzc3VlX2NvbW1lbnRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC9pc3N1ZXMvY29tbWVudHN7L251bWJlcn0iLCJpc3N1ZV9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC9pc3N1ZXMvZXZlbnRzey9udW1iZXJ9IiwiaXNzdWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QvaXNzdWVzey9udW1iZXJ9Iiwia2V5c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0L2tleXN7L2tleV9pZH0iLCJsYWJlbHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC9sYWJlbHN7L25hbWV9IiwibGFuZ3VhZ2UiOiJTaGVsbCIsImxhbmd1YWdlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0L2xhbmd1YWdlcyIsImxpY2Vuc2UiOnsia2V5IjoiYXBhY2hlLTIuMCIsIm5hbWUiOiJBcGFjaGUgTGljZW5zZSAyLjAiLCJub2RlX2lkIjoiTURjNlRHbGpaVzV6WlRJPSIsInNwZHhfaWQiOiJBcGFjaGUtMi4wIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9saWNlbnNlcy9hcGFjaGUtMi4wIn0sIm1lcmdlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0L21lcmdlcyIsIm1pbGVzdG9uZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC9taWxlc3RvbmVzey9udW1iZXJ9IiwibWlycm9yX3VybCI6bnVsbCwibmFtZSI6InNsc2Etb24tZ2l0aHViLXRlc3QiLCJub2RlX2lkIjoiUl9rZ0RPR3lvWHBBIiwibm90aWZpY2F0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0L25vdGlmaWNhdGlvbnN7P3NpbmNlLGFsbCxwYXJ0aWNpcGF0aW5nfSIsIm9wZW5faXNzdWVzIjoyNCwib3Blbl9pc3N1ZXNfY291bnQiOjI0LCJvd25lciI6eyJhdmF0YXJfdXJsIjoiaHR0cHM6Ly9hdmF0YXJzLmdpdGh1YnVzZXJjb250ZW50LmNvbS91LzY0NTA1MDk5P3Y9NCIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2xhdXJlbnRzaW1vbi9ldmVudHN7L3ByaXZhY3l9IiwiZm9sbG93ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbGF1cmVudHNpbW9uL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2xhdXJlbnRzaW1vbi9mb2xsb3dpbmd7L290aGVyX3VzZXJ9IiwiZ2lzdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9sYXVyZW50c2ltb24vZ2lzdHN7L2dpc3RfaWR9IiwiZ3JhdmF0YXJfaWQiOiIiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24iLCJpZCI6NjQ1MDUwOTksImxvZ2luIjoibGF1cmVudHNpbW9uIiwibm9kZV9pZCI6Ik1EUTZWWE5sY2pZME5UQTFNRGs1Iiwib3JnYW5pemF0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2xhdXJlbnRzaW1vbi9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbGF1cmVudHNpbW9uL3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbGF1cmVudHNpbW9uL3JlcG9zIiwic2l0ZV9hZG1pbiI6ZmFsc2UsInN0YXJyZWRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9sYXVyZW50c2ltb24vc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9sYXVyZW50c2ltb24vc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9sYXVyZW50c2ltb24ifSwicHJpdmF0ZSI6ZmFsc2UsInB1bGxzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QvcHVsbHN7L251bWJlcn0iLCJwdXNoZWRfYXQiOiIyMDIyLTA4LTE1VDE3OjAyOjA4WiIsInJlbGVhc2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QvcmVsZWFzZXN7L2lkfSIsInNpemUiOjY2Niwic3NoX3VybCI6ImdpdEBnaXRodWIuY29tOmxhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0LmdpdCIsInN0YXJnYXplcnNfY291bnQiOjEsInN0YXJnYXplcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC9zdGFyZ2F6ZXJzIiwic3RhdHVzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC9zdGF0dXNlcy97c2hhfSIsInN1YnNjcmliZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbGF1cmVudHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3Qvc3Vic2NyaWJlcnMiLCJzdWJzY3JpcHRpb25fdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC9zdWJzY3JpcHRpb24iLCJzdm5fdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0IiwidGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0L3RhZ3MiLCJ0ZWFtc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0L3RlYW1zIiwidG9waWNzIjpbXSwidHJlZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdC9naXQvdHJlZXN7L3NoYX0iLCJ1cGRhdGVkX2F0IjoiMjAyMi0wNi0xM1QyMDoyOTozM1oiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL2xhdXJlbnRzaW1vbi9zbHNhLW9uLWdpdGh1Yi10ZXN0IiwidmlzaWJpbGl0eSI6InB1YmxpYyIsIndhdGNoZXJzIjoxLCJ3YXRjaGVyc19jb3VudCI6MSwid2ViX2NvbW1pdF9zaWdub2ZmX3JlcXVpcmVkIjpmYWxzZX0sInNlbmRlciI6eyJhdmF0YXJfdXJsIjoiaHR0cHM6Ly9hdmF0YXJzLmdpdGh1YnVzZXJjb250ZW50LmNvbS91LzY0NTA1MDk5P3Y9NCIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2xhdXJlbnRzaW1vbi9ldmVudHN7L3ByaXZhY3l9IiwiZm9sbG93ZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbGF1cmVudHNpbW9uL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2xhdXJlbnRzaW1vbi9mb2xsb3dpbmd7L290aGVyX3VzZXJ9IiwiZ2lzdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9sYXVyZW50c2ltb24vZ2lzdHN7L2dpc3RfaWR9IiwiZ3JhdmF0YXJfaWQiOiIiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24iLCJpZCI6NjQ1MDUwOTksImxvZ2luIjoibGF1cmVudHNpbW9uIiwibm9kZV9pZCI6Ik1EUTZWWE5sY2pZME5UQTFNRGs1Iiwib3JnYW5pemF0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2xhdXJlbnRzaW1vbi9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbGF1cmVudHNpbW9uL3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbGF1cmVudHNpbW9uL3JlcG9zIiwic2l0ZV9hZG1pbiI6ZmFsc2UsInN0YXJyZWRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9sYXVyZW50c2ltb24vc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9sYXVyZW50c2ltb24vc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9sYXVyZW50c2ltb24ifSwid29ya2Zsb3ciOiIuZ2l0aHViL3dvcmtmbG93cy9zbHNhLWdlbmVyaWMueW1sIn0sImdpdGh1Yl9oZWFkX3JlZiI6IiIsImdpdGh1Yl9yZWYiOiJyZWZzL2hlYWRzL21haW4iLCJnaXRodWJfcmVmX3R5cGUiOiJicmFuY2giLCJnaXRodWJfcmVwb3NpdG9yeV9pZCI6IjQ1NTc0MzM5NiIsImdpdGh1Yl9yZXBvc2l0b3J5X293bmVyIjoibGF1cmVudHNpbW9uIiwiZ2l0aHViX3JlcG9zaXRvcnlfb3duZXJfaWQiOiI2NDUwNTA5OSIsImdpdGh1Yl9ydW5fYXR0ZW1wdCI6IjEiLCJnaXRodWJfcnVuX2lkIjoiMjg2MjE3MTAwMyIsImdpdGh1Yl9ydW5fbnVtYmVyIjoiOCIsImdpdGh1Yl9zaGExIjoiNDY2YzExM2VkM2Q1YWM3NTY4MTc0ZDRiNmFkNmJiNmE4MGUxNTNiMiJ9fSwibWV0YWRhdGEiOnsiYnVpbGRJbnZvY2F0aW9uSUQiOiIyODYyMTcxMDAzLTEiLCJjb21wbGV0ZW5lc3MiOnsicGFyYW1ldGVycyI6dHJ1ZSwiZW52aXJvbm1lbnQiOmZhbHNlLCJtYXRlcmlhbHMiOmZhbHNlfSwicmVwcm9kdWNpYmxlIjpmYWxzZX0sIm1hdGVyaWFscyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9sYXVyZW50c2ltb24vc2xzYS1vbi1naXRodWItdGVzdEByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsic2hhMSI6IjQ2NmMxMTNlZDNkNWFjNzU2ODE3NGQ0YjZhZDZiYjZhODBlMTUzYjIifX1dfX0=","signatures":[{"keyid":"","sig":"MEUCIHBtbLeV5WMsyLpPrZcxFU1wuEYHFUrJnzizsg17dL4hAiEAkoTLa49Vrf/g5mSaWY6Oab99YNvqByNgR773ikJXQ5I=","cert":"-----BEGIN CERTIFICATE-----\nMIIDVDCCAtqgAwIBAgITLCk1E2/wH2/mCjCYAovMeTTHnDAKBggqhkjOPQQDAzAq\nMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIy\nMDgxNTE3MDQxMloXDTIyMDgxNTE3MTQxMVowADBZMBMGByqGSM49AgEGCCqGSM49\nAwEHA0IABCw6VO5lksfxcjt+4cEbgBnLuPB2wDgj3I9UQZh45xW4KRYKM7/oSLfD\nP8QGLfgNkv3ZDwBZUDLbBk0hNoMq0bejggIHMIICAzAOBgNVHQ8BAf8EBAMCB4Aw\nEwYDVR0lBAwwCgYIKwYBBQUHAwMwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUyxfq\nz2Pr2VR+K9FdiLbOSxqIYgQwHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrF\nxfowgYQGA1UdEQEB/wR6MHiGdmh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1l\nd29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvLmdpdGh1Yi93b3JrZmxvd3MvZ2Vu\nZXJhdG9yX2dlbmVyaWNfc2xzYTMueW1sQHJlZnMvdGFncy92MS4yLjAwHwYKKwYB\nBAGDvzABAgQRd29ya2Zsb3dfZGlzcGF0Y2gwLgYKKwYBBAGDvzABBQQgbGF1cmVu\ndHNpbW9uL3Nsc2Etb24tZ2l0aHViLXRlc3QwJAYKKwYBBAGDvzABBAQWU0xTQSBn\nZW5lcmljIGdlbmVyYXRvcjAdBgorBgEEAYO/MAEGBA9yZWZzL2hlYWRzL21haW4w\nOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJj\nb250ZW50LmNvbTA2BgorBgEEAYO/MAEDBCg0NjZjMTEzZWQzZDVhYzc1NjgxNzRk\nNGI2YWQ2YmI2YTgwZTE1M2IyMAoGCCqGSM49BAMDA2gAMGUCMQCx4+iMpFBvnFV9\nX6goGjQfdgliPcNa4cdd2K0nmrn79cOpslyzcJLAlL/qSYsGlocCMC/P/gL2B16i\nMp6YQZUiSMwzUohrr7V3nJsMPcLgETGyiZoR3UijZG74FobZ/+3pCw==\n-----END CERTIFICATE-----\n"}]}

errors/errors.go

@@ -7,6 +7,7 @@ var (
 	ErrorMismatchBranch            = errors.New("branch used to generate the binary does not match provenance")
 	ErrorMismatchBuilderID         = errors.New("builderID does not match provenance")
 	ErrorMismatchSource            = errors.New("source used to generate the binary does not match provenance")
+	ErrorMismatchWorkflowInputs    = errors.New("workflow input does not match")
 	ErrorMalformedURI              = errors.New("URI is malformed")
 	ErrorMismatchTag               = errors.New("tag used to generate the binary does not match provenance")
 	ErrorMismatchVersionedTag      = errors.New("tag used to generate the binary does not match provenance")
@@ -18,4 +19,5 @@ var (
 	ErrorNoValidRekorEntries       = errors.New("could not find a matching valid signature entry")
 	ErrorVerifierNotSupported      = errors.New("no verifier support the builder")
 	ErrorNotSupported              = errors.New("not supported")
+	ErrorInvalidFormat             = errors.New("invalid format")
 )

options/options.go

@@ -20,6 +20,9 @@ type ProvenanceOpts struct {
 
 	// ExpectedBuilderID is the expected builder ID.
 	ExpectedBuilderID string
+
+	// ExpectedWorkflowInputs is a map of key=value inputs.
+	ExpectedWorkflowInputs map[string]string
 }
 
 // BuildOpts are the options for checking the builder.