laurentsimon
laurentsimon
This adds support or running AFL in non-deterministic mode and a dictionary.
Following to our discussion from last week, this is the PoC to generate SLSA provenance. We're working on verification support in the next couple weeks, but it should not block...
Tracking issue for https://github.com/slsa-framework/slsa/pull/1037#discussion_r1526020307 Main comments: - The current claims are a mix of policy (who's allowed to review) and facts (who reviewed). - The current use case is useful...
See https://github.com/cli/cli/pull/8698/ for required code changes
See VSA https://slsa.dev/verification_summary/v0.2 High-level verification in CLI: ```shell $ slsa-verifier verify-vsa --vsa-path verifier-id google.com [--resource-uri ] --policy-level X ```
The reusable workflow can be pinned by hash, version or tag in general. However: 1. Pinned by hash makes it pretty hard to retrieve the branch during verification. 2. Pinned...
- verify artifacts. Take an artifact or hash and a set of mandatory metadata (source repo) - verify packages. Take an artifact or hash and a set of mandatory metadata...
This repo https://github.com/slsa-framework/slsa-policy slsa-verifier would then become the single source for: - APIs to verify attestations (the current scope of the repo so far) - APIs to generate attestations (VSA,...
As part of the effort to bring SLSA to ML https://github.com/google/model-transparency, we need to be able to sign directories. This requires the definition of a new "hash", i.e. how to...
There's a distinction to be made between the signer and the builder for sigstore-based CLIs (npm). We currently have two builders allowed for npm verification: `github-hosted` and `self-hosted`. This is...