Ramon Petgrave

Example provenance, which is a sigtore bundle - https://github.com/ramonpetgrave/my-example-gradle-project/attestations/784461 decoded DSEE Envelope payload: ``` { "_type": "https://in-toto.io/Statement/v1", "subject": [ { "name": "app.jar", "digest": { "sha256": "bc2153c2e6a9b03505e7f99ed126c47e6844accc6c9a013317182ba746854fcb" } } ], "predicateType":...

@mihaimaruseac

@ianlewis

@trishankatdatadog Although negative/regression against the NPM subject digests are not in [main_regression_test.go](https://github.com/ramonpetgrave64/slsa-verifier/blob/18c5f13b3ecdf5b79db7448291d3c5aa67683157/cli/slsa-verifier/main_regression_test.go#L1499), the tests you want are done for both the publish and build attestations subject digests in - https://github.com/ramonpetgrave64/slsa-verifier/blob/18c5f13b3ecdf5b79db7448291d3c5aa67683157/verifiers/internal/gha/provenance_test.go#L74...

Just adding to the conversation: [merkle trees](https://en.wikipedia.org/wiki/Merkle_tree) seem like they could be a good way to hash directories, and someone has tried this in [go](https://github.com/makew0rld/merkdir). re: [your comments](https://github.com/google/model-transparency/issues/49#issuecomment-1790966294), I think...

Duplicate to #450

initial implementation in #495

#641 is merged.

@godofredoc It's been about a year. Is this still an issue for you?

They are still using slsa v0.2, and that older definition of BuilderID. - https://github.com/npm/cli/blob/22731831e22011e32fa0ca12178e242c2ee2b33d/workspaces/libnpmpublish/lib/provenance.js#L67 - https://github.com/npm/cli/pull/6375#discussion_r1173989123 I think for gitlab the BuilderID should also be the ref to Gitlab's own...