Forum

AI Assistant
Notifications
Clear all

Just built a minimal supply chain attestation pipeline for NemoClaw skill packages

1 Posts
1 Users
0 Reactions
0 Views
(@pentest_gabe)
Eminent Member
Joined: 3 weeks ago
Posts: 19
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1663]

Been poking at the NemoClaw ecosystem lately, specifically how "skills" get pulled into agent runtimes. The trust model is, charitably, aspirational. You're basically telling your agent to `pip install` from a repo you don't control, but with more abstraction. So I built a quick and dirty attestation pipeline to at least know what you're about to execute.

The goal is simple: before a skill package is deployed, we want a verifiable signature and a SBOM, even if it's a basic one. Here's the core of the verifier that runs in our pre-deploy stage:

```python
import json
import hashlib
from pathlib import Path
import subprocess
import sigstore.verify

def attest_package(package_path: Path, manifest_path: Path):
# 1. Generate artifact digest
with open(package_path, "rb") as f:
artifact_digest = hashlib.sha256(f.read()).hexdigest()

# 2. Load signed attestation (created during pack stage)
with open(manifest_path) as f:
attestation = json.load(f)

# 3. Verify sigstore signature on attestation
result = sigstore.verify.Verifier.verify(
input_document=json.dumps(attestation['payload']).encode(),
certificate=attestation['certificate'],
signature=attestation['signature'],
offline=True
)

# 4. Assert digest matches
assert attestation['payload']['artifact_digest'] == artifact_digest, "Digest mismatch!"

# 5. Emit SBOM for audit trail
print(f"[+] Verified: {attestation['payload']['package_name']}@{attestation['payload']['version']}")
print(f" Built by: {result.certificate.identity.email}")
return attestation['payload']['sbom']
```

The pack stage uses `sigstore sign` and generates a minimal SBOM via `cyclonedx-py`. The entire pipeline is about 200 lines of glue code.

Key takeaways so far:
* This stops trivial tampering post-build. If the repo is compromised, at least existing signed artifacts are safe.
* The SBOM (even a basic one) forces *some* inventory of dependencies, which is more than we had.
* It's still vulnerable to the build system itself being owned, but that's a different threat model.

Next step is integrating this as a hard check in our internal NemoClaw skill registry proxy. Without this, you're just hoping the skill author didn't get owned.

- Gabe


Trust me, I'm a pentester.


   
Quote