asraa

Oops, we are, I read this too fast :) > When connecting to rekor, ensure the TLS connection verifies presence of the cert in the CT So this is ensuring...

Pros IMO are that provenance is very SLSA build specific to me - provenance is one type of attestation referring, I think, specifically to a build process > Provenance is...

We currently support `provenance-name` option for our generators. This might end up being confusing, but I don't know the context of why `attestation-name` was deprecated. Moreover, the generators DO produce...

Thanks @sethmlarson! Yes, I think this will need some tweaking, but actually we already do something similar for container images (where the registry may hold multiple provenance attestations), so I'll...

Yes, technically the signatures matching is the only requirement - although this is a "SHOULD" as an extra robustness pass. Verifying the sigs match implicitly verifies the public key of...

Should we be able to do this? They are not SLSA 3, so it complicates the logic we have for detecting a trusted builder.

Just checked one more off - the remaining e2e test items that could be improved (like checking to ensure the container builds are fresh) are here: https://github.com/slsa-framework/example-package/issues/149

> So we should add tests for "normal" repositories, Should we specify an env var for allowing this as an exception instead of using a workaround hard-coded in code? Otherwise,...

Yeah, I assume because it serves as an example provenance repository. > they let anyone - not just us - change the behavior of the verifier in a less secure...

Should we use the `annotation` `source: true` or wait for a universal annotation that GCB and other builders will use?