laurentsimon
laurentsimon
In https://github.com/slsa-framework/slsa-verifier/pull/257, I added support for builder tag verification. All the existing generic container tests use a builder pinned at `@main`. It works because of the exception for example-package repository....
I'm seeing some warnings when using the git command: ``` remote: warning: See http://git.io/iEPt8g for more information. remote: warning: File 278574a27b5008ce50cfe31c787cd00f0d7e6ea4 is 54.86 MB; this is larger than GitHub's recommended...
type confusion in https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296 I don't think we explicitly check for this... but we check for builders who only support SLSA attestation. Still, let's make the check more explicit, unless...
We don't have tests for these. For GCB, it's particularly important since multiple provenances may be contained in the gcloud provenance.
When we bump the major version, we need to update the go.mod and all the imports in the file. See https://github.com/slsa-framework/slsa-verifier/issues/299 and https://github.com/slsa-framework/slsa-verifier/pull/378 for context. We may want to add...
We need to release the Action. TODOs: - [x] Fix checkout I tested (https://github.com/laurentsimon/slsa-on-github-test/blob/main/.github/workflows/verifier-action.yaml#L11): ``` uses: slsa-framework/slsa-verifier/actions/[email protected] ``` and it gave me the following error: ```Error: An error occurred trying...
For defense in depth, we should verify these against the signing certificate, print these, and also in the future expose options for clients to create policies to verify these against.
See original discusssion https://github.com/gossts/slsa-provenance/issues/21
We need a better story around installation, like a native debian package. Work items: - [x] File a WNPP ITP bug (https://wiki.debian.org/ITP) Done https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019904 - [ ] Refresh knowledge on...
Do we need to start thinking of a SLSA level flag during verification? This could encourage users to use our tool for verification, even when the provenance has lower levels,...