example-package icon indicating copy to clipboard operation
example-package copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

More efficient verification of multi-subject generic provenance

Open laurentsimon opened this issue 3 years ago • 1 comments
trafficstars

I added https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml

temporarily to test verification of multiple subjects. It currently calls the verification scripts 3 times, meaning that it compiles the verifier 3 times.

We need to update the scripts to verify the 3 artifacts with a single call.

/cc @ianlewis

laurentsimon avatar Jul 12 '22 18:07 laurentsimon

2 options to achieve this:

  1. Rename BINARY env variables to BINARIES, which can take a list of binaries separated by a ,. The scripts can split the string and extract the list of binaries
  2. Cache the verifier binary, and only compile / download if it's not already on disk

I'm in favor of Option 2 because it keeps the scripts simpler.

Wdut?

laurentsimon avatar Jul 13 '22 17:07 laurentsimon