laurentsimon
laurentsimon
nop, not urgent. Can do anytime.
yes it is. I think they decided to specialize the meaning to be specific to git, ie it a sha1 over git, rather that a sha1 over a set of...
sure, this is the original comment https://github.com/slsa-framework/slsa-github-generator/issues/2425#issuecomment-1643168515.
https://github.com/slsa-framework/slsa-github-generator/issues/1575 was more about TRW-specific sensitive inputs. The GH payload we record is the one we need to address next before BYOB release.
If some fields cannot be verified because they are not present in the cert, I'm tempted to say we should remove them from the provenance that `--print-provenance` prints. This requires...
Good idea. Please link the issue once you have created one on their repo
Example of claims and change in parsing https://github.com/sigstore/fulcio/issues/754#issuecomment-1470946162
Done in https://github.com/slsa-framework/slsa-verifier/pull/572. Closing
I meant `@v1`, for example
> Now someone can force push with new tags and we would never know about it. correct, but it has no consequence in a unprivileged workflow. > Why not configure...