slsa-verifier
slsa-verifier copied to clipboard
slsa-framework
Verify provenance from SLSA compliant builders
GCB allows triggering builds via CLI, in which case the config is passed as an RPC input, but no in code. We should check the entryPoint is not empty.
The e2e-cli script https://github.com/slsa-framework/slsa-verifier/blob/main/.github/workflows/scripts/e2e-cli.sh runs the slsa-verifier CLI at main against existing provenance formats, in order to catch cases where the CLI may have been broken (since our main_regression_test.go uses...
This could be useful if consumers integrate our code in a service: - memory usage changes - performance changes In a pre-submit would be ideal. We could also have this...
In the SLSA tooling meeting we just wanted to create some tracking issues in some of the projects like slsa-verifier for 1.0 support. Feel free to edit this ticket with...
https://github.com/slsa-framework/slsa-verifier/pull/519
slsa-verifier uses a hand-written [method](https://github.com/slsa-framework/slsa-verifier/blob/12910ea59692bc0e18229167ef9aac190d937679/verifiers/internal/gha/rekor.go#L320) to verify the DSSE attestation assuming a verified Rekor entry (may be fetched from Rekor search or the bundle and verified). If sigstore-go exposes a...
See https://github.com/slsa-framework/slsa-verifier/pull/495#discussion_r1122445010 Need to have a list of pros and cons. Please comment.
https://github.com/slsa-framework/github-actions-buildtypes/blob/main/workflow/v1/example.json#L32 I don't know how to differentiate between sha1 and sha256. I suppose it's going to be length-based...?
I'm wondering if we should simplify verification to take as input the intoto file: ```shell gcloud artifacts docker images describe $IMMUTABLE_IMAGE --format json --show-provenance | jq -r '.provenance_summary.provenance[0].envelope' ``` This...
Metadata
Owner
Metadata
Verify provenance from SLSA compliant builders