slsa-verifier
slsa-verifier copied to clipboard
slsa-framework
Verify provenance from SLSA compliant builders
We don't have tests for these. For GCB, it's particularly important since multiple provenances may be contained in the gcloud provenance.
When we bump the major version, we need to update the go.mod and all the imports in the file. See https://github.com/slsa-framework/slsa-verifier/issues/299 and https://github.com/slsa-framework/slsa-verifier/pull/378 for context. We may want to add...
Is "slsa-verifier" can we use in Azure Devops? if yes can you share the steps.
We need to release the Action. TODOs: - [x] Fix checkout I tested (https://github.com/laurentsimon/slsa-on-github-test/blob/main/.github/workflows/verifier-action.yaml#L11): ``` uses: slsa-framework/slsa-verifier/actions/[email protected] ``` and it gave me the following error: ```Error: An error occurred trying...
Currently, we populate the Verify\*Command's properties directly, instead of using CLI flags. I added support for additionally testing CLI flags, but this would only allow us to test the output...
For defense in depth, we should verify these against the signing certificate, print these, and also in the future expose options for clients to create policies to verify these against.
See original discusssion https://github.com/gossts/slsa-provenance/issues/21
We need a better story around installation, like a native debian package. Work items: - [x] File a WNPP ITP bug (https://wiki.debian.org/ITP) Done https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019904 - [ ] Refresh knowledge on...
Do we need to start thinking of a SLSA level flag during verification? This could encourage users to use our tool for verification, even when the provenance has lower levels,...
Metadata
Owner
Metadata
Verify provenance from SLSA compliant builders