slsa-verifier

slsa-verifier copied to clipboard

This issue lists Renovate updates and detected dependencies. Read the [Dependency Dashboard](https://docs.renovatebot.com/key-concepts/dashboard/) docs to learn more. ## Awaiting Schedule These updates are awaiting their schedule. Click on a checkbox to...

forking-renovate[bot]

feat: VerifyNpmPackage API with supplied tuf client

13

This PR - allow supplying a SigstoreTufClient - adds a guide on how to use in `./docs/Api-Library.md` - enables --print-provenance Offline rekor verification already works so long as the provenance...

ramonpetgrave64

fix: signoff commit

1

Followup to https://github.com/slsa-framework/slsa-verifier/pull/760 Fix the .github/workflows/update-actions-dist-post-commit.yml workflow to also signoff commit # Testing - [x] Invoked this PR's branch copy of the workflow against #717, and it did signoff the...

ramonpetgrave64

[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@types/node](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`18.19.28` -> `18.19.33`](https://renovatebot.com/diffs/npm/@types%2fnode/18.19.28/18.19.33) |...

renovate-bot

fix: make download-artifacts.sh more flexible

2

Making the `download-artifacts.sh` script be more useful. Before, it would error upon seeing some zip files that it doesn't expect to be in the GH release. I think the script...

ramonpetgrave64

Support off-line mode for air-gapped environments

6

An off-line mode would enable the use of `slsa-verifier` in air-gapped environments, which are isolated from any network connection for security reasons. Cosign [already support this](https://github.com/sigstore/cosign?tab=readme-ov-file#verify-a-container-in-an-air-gapped-environment), so I am assuming...

pjbgf

Support for SLSA GHA

3

See https://github.com/cli/cli/pull/8698/ for required code changes

laurentsimon

feat: Verification of VSA

16

See VSA https://slsa.dev/verification_summary/v0.2 High-level verification in CLI: ```shell $ slsa-verifier verify-vsa --vsa-path verifier-id google.com [--resource-uri ] --policy-level X ```

laurentsimon

SHA256SUM.md format is messy (not machine friendly)

2

Please can you make SHA256SUM.md more machine/script friendly. At present, for example, it is not possible to use it in scripts with `pipefail` enabled beause `sha256sum -c --ignore-missing --strict SHA256SUM.md`...

udf2457

Feature: only accept reusable workflow pinned by version

16

The reusable workflow can be pinned by hash, version or tag in general. However: 1. Pinned by hash makes it pretty hard to retrieve the branch during verification. 2. Pinned...

laurentsimon