slsa-verifier
slsa-verifier copied to clipboard
slsa-framework
Verify provenance from SLSA compliant builders
The work in https://github.com/slsa-framework/slsa-verifier/pull/731 retrieves the latest the signing key from the TUF root. There is metadata for a `ValidFor.Start`, and in the future there may be a `ValidFor.End`. Consider...
- verify artifacts. Take an artifact or hash and a set of mandatory metadata (source repo) - verify packages. Take an artifact or hash and a set of mandatory metadata...
This repo https://github.com/slsa-framework/slsa-policy slsa-verifier would then become the single source for: - APIs to verify attestations (the current scope of the repo so far) - APIs to generate attestations (VSA,...
Right now the slsa-verifier is designed around a closed-world assumption, i.e. it can validate attestations generated by known builders and rejects attestations for unknown builders. Ideally, there would be a...
Remove setuo-go from the codeql-analysis.yml workflow. https://github.com/slsa-framework/slsa-verifier/pull/738#discussion_r1462446238 We have added a custom step to the code-ql analysys job, as a workaround to fix the workflow when using go1.21. This issue...
As part of the effort to bring SLSA to ML https://github.com/google/model-transparency, we need to be able to sign directories. This requires the definition of a new "hash", i.e. how to...
There's a distinction to be made between the signer and the builder for sigstore-based CLIs (npm). We currently have two builders allowed for npm verification: `github-hosted` and `self-hosted`. This is...
Right now the slsa-verifier does various validations depending on the type of builder that was identified from the provenance. However, it would be quite handy if in a verbose mode,...
Per discussion in https://github.com/slsa-framework/slsa-verifier/issues/707, we'd like to be able to verify certain things end-to-end and need a way to ignore signature verification. @trishankatdatadog @ianlewis
https://github.com/sigstore/cosign/pull/3059 is splitting APIs based on providers. Once it's landed, we can use these to provide various slsa-verifier builds: on for all providers, one for Google, docker, etc
Metadata
Owner
Metadata
Verify provenance from SLSA compliant builders