laurentsimon

feat: remove support for special handling of material verification for npm

6

See https://github.com/slsa-framework/slsa-verifier/pull/521#discussion_r1131610475

[feature][npm] Verify the package name in the tarball

2

See https://github.com/slsa-framework/slsa-verifier/pull/495#discussion_r1116675186 This requires changing the interface, and would probably not work as a service since the tarball would not be transmitted.

We need e2e tests.

Support for GitLab provenance

2

GitLab has some support in https://github.com/npm/cli/pull/6375 https://gist.github.com/wlynch/42e89527d51bc72a61279f0c7f3be1cd

[feature][byob] verification for sha1 provided by TRW for v0.2

7

verification counterpart for https://github.com/slsa-framework/slsa-github-generator/issues/2079 To think about: if the sha1 != GitHub event, options like `--source-branch`, `--source-tag` or another source option should fail because we can no longer trust the...

[feature]: verify `externalParameters.source` as a string URI

1

Counterpart of https://github.com/slsa-framework/slsa-github-generator/issues/2192

[feature][byob] End-to-end verification tests

2

We need a new repo `example-trws` with TRWs to call from `example-packages` to tests the delegator workflow features and catch regressions

We want to allow some exceptions for TRWs to test their workflows `@` where `ref != vx.y.z`. I think we need: - `[email protected]` and `[email protected]` allowed, that's the default, common...