laurentsimon
laurentsimon
GCB allows triggering builds via CLI, in which case the config is passed as an RPC input, but no in code. We should check the entryPoint is not empty.
This could be useful if consumers integrate our code in a service: - memory usage changes - performance changes In a pre-submit would be ideal. We could also have this...
See https://github.com/slsa-framework/slsa-verifier/pull/495#discussion_r1122445010 Need to have a list of pros and cons. Please comment.
https://github.com/slsa-framework/github-actions-buildtypes/blob/main/workflow/v1/example.json#L32 I don't know how to differentiate between sha1 and sha256. I suppose it's going to be length-based...?
I'm wondering if we should simplify verification to take as input the intoto file: ```shell gcloud artifacts docker images describe $IMMUTABLE_IMAGE --format json --show-provenance | jq -r '.provenance_summary.provenance[0].envelope' ``` This...
Python / Java artifacts seems to be supported in GCB now https://cloud.google.com/build/docs/securing-builds/view-build-provenance. Let's add support for it.
- [x] https://github.com/slsa-framework/slsa-verifier/pull/242 human-readable part should match DSSE - [x] https://github.com/slsa-framework/slsa-verifier/pull/202 summary verification - [x] https://github.com/slsa-framework/slsa-verifier/pull/202 metadata verification - [x] https://github.com/slsa-framework/slsa-verifier/pull/248 Unit tests - [x] https://github.com/slsa-framework/slsa-verifier/pull/251 CLI tests @laurentsimon -...
https://github.com/slsa-framework/slsa-verifier/issues/475#issuecomment-1428814820 Also, we currently hae a single ProvenanceOpts https://github.com/slsa-framework/slsa-verifier/blob/main/options/options.go, but this may need to be different for each option: `verify-image`, `verify-artifact`, `verify-npm-package`. For example, for npm, we need additional options...
In certain scenario, a user may not know what the builder is. Example: someone create a monitoring service to monitor provenance changes for packages. The builder *may* change (and have...
We should try to turn on this option if possible, stapling or anything the server supports.