laurentsimon

bug: check entryPoint is non empty for GCB provenance

1

GCB allows triggering builds via CLI, in which case the config is passed as an RPC input, but no in code. We should check the entryPoint is not empty.

This could be useful if consumers integrate our code in a service: - memory usage changes - performance changes In a pre-submit would be ideal. We could also have this...

[discussion] rename provenance-path to attestations-path for all builders

2

See https://github.com/slsa-framework/slsa-verifier/pull/495#discussion_r1122445010 Need to have a list of pros and cons. Please comment.

https://github.com/slsa-framework/github-actions-buildtypes/blob/main/workflow/v1/example.json#L32 I don't know how to differentiate between sha1 and sha256. I suppose it's going to be length-based...?

[feature] Simplify GCB verification

1

I'm wondering if we should simplify verification to take as input the intoto file: ```shell gcloud artifacts docker images describe $IMMUTABLE_IMAGE --format json --show-provenance | jq -r '.provenance_summary.provenance[0].envelope' ``` This...

GCB: support artifact verification

3

Python / Java artifacts seems to be supported in GCB now https://cloud.google.com/build/docs/securing-builds/view-build-provenance. Let's add support for it.

Improve GCB verification

3

- [x] https://github.com/slsa-framework/slsa-verifier/pull/242 human-readable part should match DSSE - [x] https://github.com/slsa-framework/slsa-verifier/pull/202 summary verification - [x] https://github.com/slsa-framework/slsa-verifier/pull/202 metadata verification - [x] https://github.com/slsa-framework/slsa-verifier/pull/248 Unit tests - [x] https://github.com/slsa-framework/slsa-verifier/pull/251 CLI tests @laurentsimon -...

[feature] Improve Go API

1

https://github.com/slsa-framework/slsa-verifier/issues/475#issuecomment-1428814820 Also, we currently hae a single ProvenanceOpts https://github.com/slsa-framework/slsa-verifier/blob/main/options/options.go, but this may need to be different for each option: `verify-image`, `verify-artifact`, `verify-npm-package`. For example, for npm, we need additional options...

In certain scenario, a user may not know what the builder is. Example: someone create a monitoring service to monitor provenance changes for packages. The builder *may* change (and have...

feat: verify certs are recorded in CT

5

We should try to turn on this option if possible, stapling or anything the server supports.