slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[docs] Verification with sigstore-policy-controller

Open ianlewis opened this issue 3 years ago • 4 comments

Document examples using sigstore-policy-controller to verify provenance.

ianlewis avatar Jul 05 '22 02:07 ianlewis

There's also https://github.com/sigstore/cosign-gatekeeper-provider for gatekeeper, but it seems the gatekeeper's feature is in alpha mode.

/cc @developer-guy (maintainer for the repo above)

laurentsimon avatar Jul 07 '22 21:07 laurentsimon

There's also https://github.com/sigstore/cosign-gatekeeper-provider for gatekeeper, but it seems the gatekeeper's feature is in alpha mode.

/cc @developer-guy (maintainer for the repo above)

I wonder if this supports writing policy against the provenance. At first glance it looks like it just verifies signatures?

ianlewis avatar Jul 07 '22 22:07 ianlewis

It's up to us to implement it, so we could make the plugin call our SLSA verifier once we have an API available for it. /cc @asraa

laurentsimon avatar Jul 07 '22 22:07 laurentsimon

@developer-guy would you happen to know someone who is versed in https://docs.sigstore.dev/policy-controller/overview and could give us a hand with a policy example?

Basically, we want to show how to verify our SLSA provenance with a policy.

laurentsimon avatar Jul 07 '22 22:07 laurentsimon