Installation¶
Prerequisites¶
- Python 3.7+
- If your system Python does not meet that requirement you can leverage pyenv to maintain one or more Python versions that can be set on a per directory basis.
- pip
Tip
It is recommended to use a virtual environment such as the Python built-in venv module or the virtualenv package.
Option 1: Install from PyPI.
Option 2: Install from a GitHub branch, such as main as shown below.
At this point you should be able to verify aclgen
was installed. The path may be different for you depending on your environment.
Verifying Installation¶
At each release we sign build artifacts with Sigstore to allow for validation SLSA file to help provide integrity from supply chain attacks. The instructions provided here will work on most linux distributions. Windows may require a different but comparable tool listed in the prerequisites and modifications to the instructions. Some of the tools may already be installed, if not they are likely available via your package management system.
Prerequisites¶
Instructions¶
-
Download the
whl
,whl.crt
,whl.sig
, andjsonl
files from the latest releaseREPO="aerleon/aerleon" VER=$(curl --silent -qI https://github.com/$REPO/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}'); wget https://github.com/$REPO/releases/download/$VER/provenance-sigstore-$VER.intoto.jsonl wget https://github.com/$REPO/releases/download/$VER/aerleon-$VER-py3-none-any.whl
-
Inspect the certificate
We use OpenID to sign our code, the keys should be ephemeral and thus short lived. This section tells you information about the origin of the certificate. It should match our repo. More information about each OID can be found at Sigstore.cat provenance-sigstore-1.0.1.intoto.jsonl | jq -r '.signatures[0].cert' | openssl x509 -text -noout
URI:https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.1 1.3.6.1.4.1.57264.1.1: https://token.actions.githubusercontent.com 1.3.6.1.4.1.57264.1.2: release 1.3.6.1.4.1.57264.1.3: 2efc48f2f0a83eb0eb279f18b612584cfa4963b2 1.3.6.1.4.1.57264.1.4: Release 1.3.6.1.4.1.57264.1.5: aerleon/aerleon 1.3.6.1.4.1.57264.1.6: refs/tags/1.0.1
-
Inspect the SLSA file The SLSA file contains information on what went into building the whl. This information includes things such as who initiated the build and hashes of every artifact.
Since we use Sigstore for signing our code you can verify that our signing process is valid by looking at their transparency logs. You can find documentation on verifying binaries here.