macaron icon indicating copy to clipboard operation
macaron copied to clipboard
verified publisher icon oracle

[Enhancement] - Verify local provenance

Open benmss opened this issue 4 months ago • 0 comments

Attestation files provided by the user in the command line are not checked for their verified status. Currently, Macaron relies on the information provided by third party services such as GitHub, deps.dev, npm, etc. for verifying provenances while retrieving them, which cannot be applied for local instances. Unfortunately, the APIs available on GitHub and Sigstore Rekor do not provide a simple method of verifying provenance. Therefore, to properly support local attestation, Macaron must have its own method of verifying them.

Verification should support the following build types in provenances:

  • SLSA GitHub Generic (v0.1): https://github.com/slsa-framework/slsa-github-generator/generic@v1
  • SLSA GitHub Actions (v1.0): https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1
  • SLSA npm CLI (v2.0): https://github.com/npm/cli/gha/v2
  • SLSA Oracle Cloud Infrastructure (v1.0): https://github.com/oracle/macaron/tree/main/src/macaron/resources/provenance-buildtypes/oci/v1
  • Witness GitLab (v0.1): https://witness.testifysec.com/attestation-collection/v0.1

benmss avatar Aug 19 '25 02:08 benmss