slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Verify attestation type explicitely

Open laurentsimon opened this issue 2 years ago • 1 comments

type confusion in https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296 I don't think we explicitly check for this... but we check for builders who only support SLSA attestation.

Still, let's make the check more explicit, unless it's already done

laurentsimon avatar Aug 04 '22 18:08 laurentsimon

done for GCB https://github.com/slsa-framework/slsa-verifier/blob/main/verifiers/internal/gcb/provenance.go#L210

No done for GHA yet. We could share the function.

laurentsimon avatar Jan 12 '23 02:01 laurentsimon