slsa-verifier

slsa-verifier copied to clipboard

We currently have interfaces for v0.2 and v1.0 SLSA specs for GitHub builders, but they are not shared with other builders like GCB

laurentsimon

Support verification for npm SLSA v1.0

3

laurentsimon

``` workflow_id:30330619 run_id:540[8](https://github.com/slsa-framework/slsa-verifier/actions/runs/5408519694/jobs/9827769041?pr=645#step:6:9)45[9](https://github.com/slsa-framework/slsa-verifier/actions/runs/5408519694/jobs/9827769041?pr=645#step:6:10)460 artifact_id: gh: Not Found (HTTP 404) End-of-central-directory signature not found. Either this file is not Archive: artifacts1.zip a zipfile, or it constitutes one disk of a multi-part...

ianlewis

feat: remove support for special handling of material verification for npm

6

See https://github.com/slsa-framework/slsa-verifier/pull/521#discussion_r1131610475

laurentsimon

laurentsimon

SLSA v1.0 verification support for npm packages built by the npm cli

3

Verification support for the npm CLI as defined by [RFC-0049](https://github.com/npm/rfcs/blob/main/accepted/0049-link-packages-to-source-and-build.md#sigstore-integration-in-the-npm-cli)

ianlewis

SLSA v1.0 verification support for npm packages built by the "Trusted Builder"

18

Verification support for the "Trusted Builder" as defined in [RFC-0049](https://github.com/npm/rfcs/blob/main/accepted/0049-link-packages-to-source-and-build.md#non-falsifiable-provenance-using-a-trusted-builder)

ianlewis

I noticed the CLI test uses builders at main for the multiple subject tests. This means we can't remove SLSA_VERIFIER_TESTING that was enabled in the CI tests for the unrelease...

asraa

[feature][npm] Verify the package name in the tarball

2

See https://github.com/slsa-framework/slsa-verifier/pull/495#discussion_r1116675186 This requires changing the interface, and would probably not work as a service since the tarball would not be transmitted.

laurentsimon

We need e2e tests.

laurentsimon