laurentsimon
laurentsimon
Per discussion in https://github.com/slsa-framework/slsa-verifier/issues/707, we'd like to be able to verify certain things end-to-end and need a way to ignore signature verification. @trishankatdatadog @ianlewis
https://github.com/sigstore/cosign/pull/3059 is splitting APIs based on providers. Once it's landed, we can use these to provide various slsa-verifier builds: on for all providers, one for Google, docker, etc
part of https://github.com/slsa-framework/slsa-verifier/issues/614
We need to wait till GCB v1.0 support is available to create containers, we should happen last week of Aug or so.
See https://github.com/slsa-framework/slsa-verifier/pull/691#discussion_r1297887137 We can now wrap multiple errors. We can try do that for the entire code
See @joshuagl 's comment https://github.com/slsa-framework/slsa-verifier/pull/48#pullrequestreview-964512681 Do you know ff there's a preferred way to do it?
Several of our e2e tests only use the slsa-verifier at head, e.g. https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e.container-based.default.verify.sh#L56 and https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e.container.default.verify.sh#L39 We need to enable them from a version. /cc @ianlewis @asraa
This would allow us to support other types of versioning. This would be a major version bump.
We currently have interfaces for v0.2 and v1.0 SLSA specs for GitHub builders, but they are not shared with other builders like GCB