slsa
slsa copied to clipboard
Published
20 hours ago •
slsa-framework
slsa-framework
propose intoto format for source provenance attestations
Ideally someone familiar with generation of intoto specifications will propose a suitable, exensible solution to "provenance claims" made from the perspective of the SCP.
Here is a very rough summary of what we discussed in the originating 🧠 🌩 document.
subject:
- name: github:sigstore/sigstore-conformance@95d23843cf9c4b83524ade2ec683052d1ea2b2f9
digest:
sha512: 0123456789abcdef...
predicateType: https://slsa.dev/changeset/v0.1
predicate:
changeset:
uri: https://api.github.com/repos/sigstore/sigstore-conformance/pulls/95
createdAt: 2011-01-26T19:01:12Z
closedAt: 2011-01-26T19:01:12Z
mergedAt: 2011-01-26T19:01:12Z
# maps to the confusingly-named "head" GitHub object
topicRef:
ref: refs/heads/ww/xfail
sha: c4f1973d00d2272f78979cac8581d6b6d7ee0752
repo:
id: 541893186
uri-html: https://github.com/sigstore/sigstore-conformance
# maps to the confusingly-named "base" GitHub object
targetRef:
ref: refs/heads/main
shaAfter: 95d23843cf9c4b83524ade2ec683052d1ea2b2f9 # maps to GH merge_commit_sha
shaBefore: 1abc82cdefe80bd907855d8447f903ba8b4918e0 # best merge base
repo:
id: 541893186
uri-html: https://github.com/sigstore/sigstore-conformance
# optional: list of all constituent commits in the changeset?
commits:
- sha: c4f1973d00d2272f78979cac8581d6b6d7ee0752
uri: https://api.github.com/repos/sigstore/sigstore-conformance/git/commits/c4f1973d00d2272f78979cac8581d6b6d7ee0752
signature: "-----BEGIN SSH SIGNATURE----... entire signature .. \n-----END SSH SIGNATURE-----"
author:
uri: https://github.com/woodruffw
committer:
uri: https://github.com/woodruffw
pusher:
uri: https://github.com/woodruffw
# optional: how would we want to list all contributors to the changeset?
contributors:
- uri: https://github.com/woodruffw
roles: [pr_author, committer?, pusher, merger]
- uri: https://github.com/jleightcap
roles: [reviewer]
# what rules were enforced that allowed this version to be created?
# this might also reasonably be called "security_measures" or something less GitHubby.
# Each rule schema would be versioned independently, but there may be commonalities between different products.
rules:
- id: 1111 # the instance of the pull request rule? maybe uri of the ruleset itself, or the ruleset evaluation run that approved it.
type: github/pull-request/v0.1 # some way to version the results
configuration: # context for interpreting the results
requiredReviewers: 2
dismissStaleReviews: true
result:
reviews:
- reviewedAt: 2011-01-26T19:01:12Z
reviewerUri: https://github.com/jleightcap
role: Contributor
result: accept
topicSha: <sha256>
targetSha: <sha256>
bestMergeBase: <sha256>
- reviewedAt: 2011-01-26T19:01:12Z
reviewerUri: https://github.com/zachariahcox
result: reject
role: Collaborator
topicSha: <sha256>
targetSha: <sha256>
bestMergeBase: <sha256>
- id: 2222
type: github/signed_commits/v0.1
configuration:
enabled: true # this is just a checkbox, but maybe it should include any required signing tech?
- id: 3333
type: github/required_workflow/v0.1
configuration:
workflowFileName: sigstore/sigstore-conformance/.github/workflows/conformance.yml
sha: c4f1973d00d2272f78979cac8581d6b6d7ee0752
ref: refs/heads/main
uri: https://github.com/sigstore/sigstore-conformance/blob/c4f1973d00d2272f78979cac8581d6b6d7ee0752/.github/workflows/conformance.yml
result:
uri: https://github.com/sigstore/sigstore-conformance/pull/95/checks?check_run_id=15533071514
status: pass
