slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[feature][npm] Verify the package name in the tarball

Open laurentsimon opened this issue 1 year ago • 2 comments

See https://github.com/slsa-framework/slsa-verifier/pull/495#discussion_r1116675186

This requires changing the interface, and would probably not work as a service since the tarball would not be transmitted.

laurentsimon avatar Feb 27 '23 16:02 laurentsimon

More info at https://github.com/gh-community/npm-provenance-private-beta-community/issues/13 Looks like today, tarball content is not verified by the registry, but it may happen in the future.

laurentsimon avatar Feb 27 '23 16:02 laurentsimon

would probably not work as a service

We can probably expect that any service clients do this themselves. For npm packages this means a thicker client than we would like but it seems necessary.

ianlewis avatar Jun 16 '23 02:06 ianlewis