slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Feature: harden against material leaks

Open laurentsimon opened this issue 3 years ago • 0 comments
trafficstars

Leaks of:

  1. GITHUB_TOKEN which allows requesting certs from Fulcio. Not sure yet what we can do here, besides hardening our implementation and verifying that the keys don't leak in coredump, in logs, etc. Somehow we'd like to add scope to the
  2. GITHUB_TOKEN to be one-time-use only, but that would require support from GitHub. Maybe something we can propose to them. Let me know if you have other ideas.

The signing key: shall we enforce, during verification, that there exists a single rekor entry with the certificate?

laurentsimon avatar Mar 25 '22 21:03 laurentsimon