v1.9.0 regression tests

Signed-off-by: laurentsimon <[email protected]>
slsa-framework · Aug 24, 2023 · 9aa35ad · 9aa35ad
1 parent 58eede7
commit 9aa35ad
Show file tree

Hide file tree

Showing 50 changed files with 226 additions and 3 deletions.
diff --git a/cli/slsa-verifier/main_regression_test.go b/cli/slsa-verifier/main_regression_test.go
@@ -36,7 +36,7 @@ func pString(s string) *string {
 const TEST_DIR = "./testdata"
 
 var (
-	GHA_ARTIFACT_PATH_BUILDERS = []string{"gha_go", "gha_generic"}
+	GHA_ARTIFACT_PATH_BUILDERS = []string{"gha_go", "gha_generic", "gha_delegator", "gha_maven", "gha_gradle"}
 	// TODO(https://github.com/slsa-framework/slsa-verifier/issues/485): Merge this with
 	// GHA_ARTIFACT_PATH_BUILDERS.
 	GHA_ARTIFACT_CONTAINER_BUILDERS = []string{"gha_container-based"}
@@ -65,6 +65,9 @@ func getBuildersAndVersions(t *testing.T,
 			if f.IsDir() && (optionalMinVersion == "" ||
 				semver.Compare(optionalMinVersion, f.Name()) <= 0) {
 				// These are the supported versions of the builder
+				if f.Name() != "v1.9.0" {
+					continue
+				}
 				res = append(res, filepath.Join(builder, f.Name()))
 			}
 		}
@@ -80,6 +83,9 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) {
 	t.Parallel()
 	goBuilder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml"
 	genericBuilder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml"
+	delegatorBuilder := "https://github.com/slsa-framework/example-trw/.github/workflows/builder_high-perms_slsa3.yml"
+	mavenBuilder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml"
+	gradleBuilder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_gradle_slsa3.yml"
 
 	tests := []struct {
 		name         string
@@ -534,7 +540,11 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) {
 				var provenancePath string
 				if tt.provenancePath == "" {
 					testPath := filepath.Clean(filepath.Join(TEST_DIR, v, tt.artifacts[0]))
-					provenancePath = fmt.Sprintf("%s.intoto.jsonl", testPath)
+					if strings.Contains(testPath, "delegator") || strings.Contains(testPath, "maven") || strings.Contains(testPath, "gradle") {
+						provenancePath = fmt.Sprintf("%s.build.slsa", testPath)
+					} else {
+						provenancePath = fmt.Sprintf("%s.intoto.jsonl", testPath)
+					}
 				} else {
 					provenancePath = filepath.Clean(filepath.Join(TEST_DIR, v, tt.provenancePath))
 				}
@@ -564,14 +574,25 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) {
 					builder = goBuilder
 				case strings.HasSuffix(name, "_generic"):
 					builder = genericBuilder
+				case strings.HasSuffix(name, "_delegator"):
+					builder = delegatorBuilder
+				case strings.HasSuffix(name, "_maven"):
+					builder = mavenBuilder
+				case strings.HasSuffix(name, "_gradle"):
+					builder = gradleBuilder
 				default:
 					builder = genericBuilder
 				}
 
 				// Default builders to test.
 				builderIDs := []*string{
 					pString(builder),
-					nil,
+				}
+
+				// Do not run without explicit builder ID for the delegator,
+				// because it's hosted on a different repo slsa-framework/example-package.
+				if builder != delegatorBuilder {
+					builderIDs = append(builderIDs, nil)
 				}
 
 				// We only add the tags to tests for versions >= 1,

diff --git a/cli/slsa-verifier/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-v13.0.30 b/cli/slsa-verifier/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-v13.0.30
diff --git a/...r/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-v13.0.30.intoto.build.slsa b/...r/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-v13.0.30.intoto.build.slsa
diff --git a/cli/slsa-verifier/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-v14 b/cli/slsa-verifier/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-v14
diff --git a/cli/slsa-verifier/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-v14.2 b/cli/slsa-verifier/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-v14.2
diff --git a/...fier/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-v14.2.intoto.build.slsa b/...fier/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-v14.2.intoto.build.slsa
diff --git a/...rifier/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-v14.intoto.build.slsa b/...rifier/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-v14.intoto.build.slsa
diff --git a/...a-verifier/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-workflow_dispatch b/...a-verifier/testdata/gha_container-based/v1.9.0/based-binary-linux-amd64-workflow_dispatch
diff --git a/...a/gha_container-based/v1.9.0/based-binary-linux-amd64-workflow_dispatch.intoto.build.slsa b/...a/gha_container-based/v1.9.0/based-binary-linux-amd64-workflow_dispatch.intoto.build.slsa
diff --git a/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-v13.0.30 b/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-v13.0.30
@@ -0,0 +1 @@
+hello
diff --git a/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-v13.0.30.build.slsa b/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-v13.0.30.build.slsa
diff --git a/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-v14 b/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-v14
@@ -0,0 +1 @@
+hello
diff --git a/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-v14.2 b/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-v14.2
@@ -0,0 +1 @@
+hello
diff --git a/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-v14.2.build.slsa b/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-v14.2.build.slsa
diff --git a/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-v14.build.slsa b/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-v14.build.slsa
diff --git a/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-workflow_dispatch b/cli/slsa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-workflow_dispatch
@@ -0,0 +1 @@
+hello
diff --git a/...sa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-workflow_dispatch.build.slsa b/...sa-verifier/testdata/gha_delegator/v1.9.0/binary-linux-amd64-workflow_dispatch.build.slsa
diff --git a/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-v13.0.30 b/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-v13.0.30
diff --git a/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-v13.0.30.intoto.jsonl b/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-v13.0.30.intoto.jsonl
diff --git a/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-v14 b/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-v14
diff --git a/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-v14.2 b/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-v14.2
diff --git a/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-v14.2.intoto.jsonl b/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-v14.2.intoto.jsonl
diff --git a/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-v14.intoto.jsonl b/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-v14.intoto.jsonl
diff --git a/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-workflow_dispatch b/cli/slsa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-workflow_dispatch
diff --git a/...sa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-workflow_dispatch.intoto.jsonl b/...sa-verifier/testdata/gha_generic/v1.9.0/binary-linux-amd64-workflow_dispatch.intoto.jsonl
@@ -0,0 +1 @@
+{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGFfZ2VuZXJpYy1iaW5hcnktbGludXgtYW1kNjQtd29ya2Zsb3dfZGlzcGF0Y2giLCJkaWdlc3QiOnsic2hhMjU2IjoiMjVkMzViNzgxYmVmMWZjZjhjMmQ4NjNmYTIxZGNlYmRhMDg3NDg5NTViM2FmZjcxZDRmNWZjY2JiZGVmZTQxYSJ9fV0sInByZWRpY2F0ZSI6eyJidWlsZGVyIjp7ImlkIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL3Nsc2EtZ2l0aHViLWdlbmVyYXRvci8uZ2l0aHViL3dvcmtmbG93cy9nZW5lcmF0b3JfZ2VuZXJpY19zbHNhMy55bWxAcmVmcy90YWdzL3YxLjkuMCJ9LCJidWlsZFR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yL2dlbmVyaWNAdjEiLCJpbnZvY2F0aW9uIjp7ImNvbmZpZ1NvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZUByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsic2hhMSI6IjJiY2FhNzQ5NWUxY2JkMTFmYmQ0ZjU5OGQ4NTdiM2E2ZjE4ZGY5MzMifSwiZW50cnlQb2ludCI6Ii5naXRodWIvd29ya2Zsb3dzL3ZlcmlmaWVyLWUyZS5hbGwud29ya2Zsb3dfZGlzcGF0Y2gubWFpbi5hbGwuc2xzYTMueW1sIn0sInBhcmFtZXRlcnMiOnt9LCJlbnZpcm9ubWVudCI6eyJnaXRodWJfYWN0b3IiOiJsYXVyZW50c2ltb24iLCJnaXRodWJfYWN0b3JfaWQiOiI2NDUwNTA5OSIsImdpdGh1Yl9iYXNlX3JlZiI6IiIsImdpdGh1Yl9ldmVudF9uYW1lIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJnaXRodWJfZXZlbnRfcGF5bG9hZCI6eyJpbnB1dHMiOm51bGwsIm9yZ2FuaXphdGlvbiI6eyJhdmF0YXJfdXJsIjoiaHR0cHM6Ly9hdmF0YXJzLmdpdGh1YnVzZXJjb250ZW50LmNvbS91LzgwNDMxMTg3P3Y9NCIsImRlc2NyaXB0aW9uIjoiU3VwcGx5LWNoYWluIExldmVscyBmb3IgU29mdHdhcmUgQXJ0aWZhY3RzIiwiZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vb3Jncy9zbHNhLWZyYW1ld29yay9ldmVudHMiLCJob29rc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3Mvc2xzYS1mcmFtZXdvcmsvaG9va3MiLCJpZCI6ODA0MzExODcsImlzc3Vlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3Mvc2xzYS1mcmFtZXdvcmsvaXNzdWVzIiwibG9naW4iOiJzbHNhLWZyYW1ld29yayIsIm1lbWJlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL3Nsc2EtZnJhbWV3b3JrL21lbWJlcnN7L21lbWJlcn0iLCJub2RlX2lkIjoiTURFeU9rOXlaMkZ1YVhwaGRHbHZiamd3TkRNeE1UZzMiLCJwdWJsaWNfbWVtYmVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3Mvc2xzYS1mcmFtZXdvcmsvcHVibGljX21lbWJlcnN7L21lbWJlcn0iLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3Mvc2xzYS1mcmFtZXdvcmsvcmVwb3MiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3Mvc2xzYS1mcmFtZXdvcmsifSwicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6eyJhbGxvd19mb3JraW5nIjp0cnVlLCJhcmNoaXZlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL3thcmNoaXZlX2Zvcm1hdH17L3JlZn0iLCJhcmNoaXZlZCI6ZmFsc2UsImFzc2lnbmVlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9hc3NpZ25lZXN7L3VzZXJ9IiwiYmxvYnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvZ2l0L2Jsb2Jzey9zaGF9IiwiYnJhbmNoZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvYnJhbmNoZXN7L2JyYW5jaH0iLCJjbG9uZV91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlLmdpdCIsImNvbGxhYm9yYXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvY29sbGFib3JhdG9yc3svY29sbGFib3JhdG9yfSIsImNvbW1lbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2NvbW1lbnRzey9udW1iZXJ9IiwiY29tbWl0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9jb21taXRzey9zaGF9IiwiY29tcGFyZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9jb21wYXJlL3tiYXNlfS4uLntoZWFkfSIsImNvbnRlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2NvbnRlbnRzL3srcGF0aH0iLCJjb250cmlidXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvY29udHJpYnV0b3JzIiwiY3JlYXRlZF9hdCI6IjIwMjItMDQtMjdUMTk6MzA6NDNaIiwiZGVmYXVsdF9icmFuY2giOiJtYWluIiwiZGVwbG95bWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvZGVwbG95bWVudHMiLCJkZXNjcmlwdGlvbiI6bnVsbCwiZGlzYWJsZWQiOmZhbHNlLCJkb3dubG9hZHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvZG93bmxvYWRzIiwiZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2V2ZW50cyIsImZvcmsiOmZhbHNlLCJmb3JrcyI6MjAsImZvcmtzX2NvdW50IjoyMCwiZm9ya3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvZm9ya3MiLCJmdWxsX25hbWUiOiJzbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UiLCJnaXRfY29tbWl0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9naXQvY29tbWl0c3svc2hhfSIsImdpdF9yZWZzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2dpdC9yZWZzey9zaGF9IiwiZ2l0X3RhZ3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvZ2l0L3RhZ3N7L3NoYX0iLCJnaXRfdXJsIjoiZ2l0Oi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UuZ2l0IiwiaGFzX2Rpc2N1c3Npb25zIjpmYWxzZSwiaGFzX2Rvd25sb2FkcyI6dHJ1ZSwiaGFzX2lzc3VlcyI6dHJ1ZSwiaGFzX3BhZ2VzIjpmYWxzZSwiaGFzX3Byb2plY3RzIjp0cnVlLCJoYXNfd2lraSI6dHJ1ZSwiaG9tZXBhZ2UiOm51bGwsImhvb2tzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2hvb2tzIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlIiwiaWQiOjQ4NjMyNTgwOSwiaXNfdGVtcGxhdGUiOmZhbHNlLCJpc3N1ZV9jb21tZW50X3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2lzc3Vlcy9jb21tZW50c3svbnVtYmVyfSIsImlzc3VlX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9pc3N1ZXMvZXZlbnRzey9udW1iZXJ9IiwiaXNzdWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2lzc3Vlc3svbnVtYmVyfSIsImtleXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2Uva2V5c3sva2V5X2lkfSIsImxhYmVsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9sYWJlbHN7L25hbWV9IiwibGFuZ3VhZ2UiOiJUeXBlU2NyaXB0IiwibGFuZ3VhZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2xhbmd1YWdlcyIsImxpY2Vuc2UiOnsia2V5IjoiYXBhY2hlLTIuMCIsIm5hbWUiOiJBcGFjaGUgTGljZW5zZSAyLjAiLCJub2RlX2lkIjoiTURjNlRHbGpaVzV6WlRJPSIsInNwZHhfaWQiOiJBcGFjaGUtMi4wIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9saWNlbnNlcy9hcGFjaGUtMi4wIn0sIm1lcmdlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9tZXJnZXMiLCJtaWxlc3RvbmVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL21pbGVzdG9uZXN7L251bWJlcn0iLCJtaXJyb3JfdXJsIjpudWxsLCJuYW1lIjoiZXhhbXBsZS1wYWNrYWdlIiwibm9kZV9pZCI6IlJfa2dET0hQeS1NUSIsIm5vdGlmaWNhdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2Uvbm90aWZpY2F0aW9uc3s/c2luY2UsYWxsLHBhcnRpY2lwYXRpbmd9Iiwib3Blbl9pc3N1ZXMiOjQ3LCJvcGVuX2lzc3Vlc19jb3VudCI6NDcsIm93bmVyIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvODA0MzExODc/dj00IiwiZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvc2xzYS1mcmFtZXdvcmsvZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3Nsc2EtZnJhbWV3b3JrL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3Nsc2EtZnJhbWV3b3JrL2ZvbGxvd2luZ3svb3RoZXJfdXNlcn0iLCJnaXN0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3Nsc2EtZnJhbWV3b3JrL2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsiLCJpZCI6ODA0MzExODcsImxvZ2luIjoic2xzYS1mcmFtZXdvcmsiLCJub2RlX2lkIjoiTURFeU9rOXlaMkZ1YVhwaGRHbHZiamd3TkRNeE1UZzMiLCJvcmdhbml6YXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvc2xzYS1mcmFtZXdvcmsvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3Nsc2EtZnJhbWV3b3JrL3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvc2xzYS1mcmFtZXdvcmsvcmVwb3MiLCJzaXRlX2FkbWluIjpmYWxzZSwic3RhcnJlZF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3Nsc2EtZnJhbWV3b3JrL3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvc2xzYS1mcmFtZXdvcmsvc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJPcmdhbml6YXRpb24iLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3Nsc2EtZnJhbWV3b3JrIn0sInByaXZhdGUiOmZhbHNlLCJwdWxsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9wdWxsc3svbnVtYmVyfSIsInB1c2hlZF9hdCI6IjIwMjMtMDgtMjNUMDU6MTI6MDBaIiwicmVsZWFzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvcmVsZWFzZXN7L2lkfSIsInNpemUiOjY4MjksInNzaF91cmwiOiJnaXRAZ2l0aHViLmNvbTpzbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UuZ2l0Iiwic3RhcmdhemVyc19jb3VudCI6MTIsInN0YXJnYXplcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2Uvc3RhcmdhemVycyIsInN0YXR1c2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL3N0YXR1c2VzL3tzaGF9Iiwic3Vic2NyaWJlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2Uvc3Vic2NyaWJlcnMiLCJzdWJzY3JpcHRpb25fdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2Uvc3Vic2NyaXB0aW9uIiwic3ZuX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UiLCJ0YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL3RhZ3MiLCJ0ZWFtc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS90ZWFtcyIsInRvcGljcyI6W10sInRyZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2dpdC90cmVlc3svc2hhfSIsInVwZGF0ZWRfYXQiOiIyMDIzLTA4LTE0VDA4OjMwOjEzWiIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlIiwidmlzaWJpbGl0eSI6InB1YmxpYyIsIndhdGNoZXJzIjoxMiwid2F0Y2hlcnNfY291bnQiOjEyLCJ3ZWJfY29tbWl0X3NpZ25vZmZfcmVxdWlyZWQiOnRydWV9LCJzZW5kZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS82NDUwNTA5OT92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9sYXVyZW50c2ltb24vZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2xhdXJlbnRzaW1vbi9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9sYXVyZW50c2ltb24vZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbGF1cmVudHNpbW9uL2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vbGF1cmVudHNpbW9uIiwiaWQiOjY0NTA1MDk5LCJsb2dpbiI6ImxhdXJlbnRzaW1vbiIsIm5vZGVfaWQiOiJNRFE2VlhObGNqWTBOVEExTURrNSIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9sYXVyZW50c2ltb24vb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2xhdXJlbnRzaW1vbi9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2xhdXJlbnRzaW1vbi9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbGF1cmVudHNpbW9uL3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbGF1cmVudHNpbW9uL3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbGF1cmVudHNpbW9uIn0sIndvcmtmbG93IjoiLmdpdGh1Yi93b3JrZmxvd3MvdmVyaWZpZXItZTJlLmFsbC53b3JrZmxvd19kaXNwYXRjaC5tYWluLmFsbC5zbHNhMy55bWwifSwiZ2l0aHViX2hlYWRfcmVmIjoiIiwiZ2l0aHViX3JlZiI6InJlZnMvaGVhZHMvbWFpbiIsImdpdGh1Yl9yZWZfdHlwZSI6ImJyYW5jaCIsImdpdGh1Yl9yZXBvc2l0b3J5X2lkIjoiNDg2MzI1ODA5IiwiZ2l0aHViX3JlcG9zaXRvcnlfb3duZXIiOiJzbHNhLWZyYW1ld29yayIsImdpdGh1Yl9yZXBvc2l0b3J5X293bmVyX2lkIjoiODA0MzExODciLCJnaXRodWJfcnVuX2F0dGVtcHQiOiIxIiwiZ2l0aHViX3J1bl9pZCI6IjU5NDczNDA2NzciLCJnaXRodWJfcnVuX251bWJlciI6Ijg0IiwiZ2l0aHViX3NoYTEiOiIyYmNhYTc0OTVlMWNiZDExZmJkNGY1OThkODU3YjNhNmYxOGRmOTMzIn19LCJtZXRhZGF0YSI6eyJidWlsZEludm9jYXRpb25JRCI6IjU5NDczNDA2NzctMSIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjp0cnVlLCJlbnZpcm9ubWVudCI6ZmFsc2UsIm1hdGVyaWFscyI6ZmFsc2V9LCJyZXByb2R1Y2libGUiOmZhbHNlfSwibWF0ZXJpYWxzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZUByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsic2hhMSI6IjJiY2FhNzQ5NWUxY2JkMTFmYmQ0ZjU5OGQ4NTdiM2E2ZjE4ZGY5MzMifX1dfX0=","signatures":[{"keyid":"","sig":"MEYCIQCZkGqhZLeE1ljp3mCH8EOO+IDgDhuWXkLzxO4HNed5NwIhAPgpOXlY2s6Khz1xJoRfYE/NpxAaC2evWhDOJc6or2Uh","cert":"-----BEGIN CERTIFICATE-----\nMIIHrzCCBzWgAwIBAgIUCANx9frzJ9PmIeEKg4IqAvqZz90wCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjMwODIzMDUyMTQ4WhcNMjMwODIzMDUzMTQ4WjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEpvDCAQ7L6Y3dqgYRvRwOvGwkn1fcaT/nrugt\ndGMPxcc/HZj4wupswgoacnr99GelAV82FPTwjoefA/6aPIwS8aOCBlQwggZQMA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUy9SB\n/r5zqvJX/VcU/SiRifZ9wnIwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wgYQGA1UdEQEB/wR6MHiGdmh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1l\nd29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvLmdpdGh1Yi93b3JrZmxvd3MvZ2Vu\nZXJhdG9yX2dlbmVyaWNfc2xzYTMueW1sQHJlZnMvdGFncy92MS45LjAwOQYKKwYB\nBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50\nLmNvbTAfBgorBgEEAYO/MAECBBF3b3JrZmxvd19kaXNwYXRjaDA2BgorBgEEAYO/\nMAEDBCgyYmNhYTc0OTVlMWNiZDExZmJkNGY1OThkODU3YjNhNmYxOGRmOTMzMFUG\nCisGAQQBg78wAQQERy5naXRodWIvd29ya2Zsb3dzL3ZlcmlmaWVyLWUyZS5hbGwu\nd29ya2Zsb3dfZGlzcGF0Y2gubWFpbi5hbGwuc2xzYTMueW1sMCwGCisGAQQBg78w\nAQUEHnNsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZTAdBgorBgEEAYO/MAEG\nBA9yZWZzL2hlYWRzL21haW4wOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2Vu\nLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMIGGBgorBgEEAYO/MAEJBHgM\ndmh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1n\nZW5lcmF0b3IvLmdpdGh1Yi93b3JrZmxvd3MvZ2VuZXJhdG9yX2dlbmVyaWNfc2xz\nYTMueW1sQHJlZnMvdGFncy92MS45LjAwOAYKKwYBBAGDvzABCgQqDCgwN2U2NGI2\nNTNmMTBhODBiNjUxMGY0NTY4ZjY4NWY4YjdiOWVhODMwMB0GCisGAQQBg78wAQsE\nDwwNZ2l0aHViLWhvc3RlZDBBBgorBgEEAYO/MAEMBDMMMWh0dHBzOi8vZ2l0aHVi\nLmNvbS9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UwOAYKKwYBBAGDvzAB\nDQQqDCgyYmNhYTc0OTVlMWNiZDExZmJkNGY1OThkODU3YjNhNmYxOGRmOTMzMB8G\nCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJ\nNDg2MzI1ODA5MDEGCisGAQQBg78wARAEIwwhaHR0cHM6Ly9naXRodWIuY29tL3Ns\nc2EtZnJhbWV3b3JrMBgGCisGAQQBg78wAREECgwIODA0MzExODcwgZsGCisGAQQB\ng78wARIEgYwMgYlodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvZXhh\nbXBsZS1wYWNrYWdlLy5naXRodWIvd29ya2Zsb3dzL3ZlcmlmaWVyLWUyZS5hbGwu\nd29ya2Zsb3dfZGlzcGF0Y2gubWFpbi5hbGwuc2xzYTMueW1sQHJlZnMvaGVhZHMv\nbWFpbjA4BgorBgEEAYO/MAETBCoMKDJiY2FhNzQ5NWUxY2JkMTFmYmQ0ZjU5OGQ4\nNTdiM2E2ZjE4ZGY5MzMwIQYKKwYBBAGDvzABFAQTDBF3b3JrZmxvd19kaXNwYXRj\naDBkBgorBgEEAYO/MAEVBFYMVGh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1l\nd29yay9leGFtcGxlLXBhY2thZ2UvYWN0aW9ucy9ydW5zLzU5NDczNDA2NzcvYXR0\nZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBiwYKKwYBBAHWeQIEAgR9\nBHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABiiDXgX0A\nAAQDAEgwRgIhAMenjJObABbRHynEk7DHVi53e9WDibKxoK5IXydCIUczAiEAzbUu\nG3TWB3teyEynW6fu5OXsGEuiHPUpfVzGIxkS7eMwCgYIKoZIzj0EAwMDaAAwZQIw\nR9X7ikfA4gRaWYXFDqORwLVyOFiDA/Clv8LaLS6SvouQ+x9DKL5oOY2U6shfWdvV\nAjEAkEyUZttvWf2NwE4kIdpIe6try/xefHB3saGCJuwP48qFCi5YbxuYUchLk7ps\najE6\n-----END CERTIFICATE-----\n"}]}
diff --git a/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-v13.0.30 b/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-v13.0.30
diff --git a/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-v13.0.30.intoto.jsonl b/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-v13.0.30.intoto.jsonl
diff --git a/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-v14 b/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-v14
diff --git a/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-v14.2 b/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-v14.2
diff --git a/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-v14.2.intoto.jsonl b/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-v14.2.intoto.jsonl
diff --git a/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-v14.intoto.jsonl b/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-v14.intoto.jsonl
diff --git a/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-workflow_dispatch b/cli/slsa-verifier/testdata/gha_go/v1.9.0/binary-linux-amd64-workflow_dispatch