jsr icon indicating copy to clipboard operation
jsr copied to clipboard
verified publisher icon jsr-io

Publish attestations

Open littledivy opened this issue 1 year ago • 0 comments

We currently support provenance attestations published by the client. The registry should upload a publish attestation to prove that the package was published by it. This can be used for verification.

Before we start work on this:

  • move client and server provenance code to a single crate: https://github.com/jsr-io/provenance because API types can be shared & server verification of package provenance can be reused by the verifiers.

littledivy avatar Mar 15 '24 03:03 littledivy