slsa icon indicating copy to clipboard operation
slsa copied to clipboard
verified publisher icon slsa-framework

Clarify that SLSA is intended to be automatically verifiable

Open MarkLodato opened this issue 4 years ago • 4 comments

As mentioned in #127, we need to clarify that all of the SLSA requirements are intended to be automatically verifiable to some degree. Right now that is completely unstated, which results in confusion and disagreement.

Futhermore, we should explain how we picture verifying these requirements. Examples:

  • Version Control: The source listed in the build provenance is either a known version control system (e.g. git+https URI scheme), has an attestation showing it came directly from version control (by matching on digest), or has some TBD chained verification.
  • Retention: The source has an attestation from the source control platform claiming that it meets the retention requirement, and the verifier has some global configuration saying which platforms the verifier trust to make that claim. For example, a verifier might trust GitHub's claims about retention.

MarkLodato avatar Aug 10 '21 15:08 MarkLodato

Regarding the source control system issuing an attestation to these requirements please see https://github.com/in-toto/attestation/issues/47

TomHennen avatar Aug 10 '21 16:08 TomHennen

Note we added mention of the intent for all requirements to be automatically verifiable in https://github.com/slsa-framework/slsa/pull/133#discussion_r690470200

joshuagl avatar Sep 06 '21 13:09 joshuagl

I talked about this a bit with @joshuagl

The idea is that artifacts can be automatically verified to see if they meet a given SLSA level. Systems, however, may need some human analysis to see if they meet their SLSA requirements (e.g. Source & Build requirements).

For example, a security engineer may analyze the architecture and implementation of a build system to ensure that it meets (or can meet) the build requirements. Once the analysis is complete the keys used by the build system can then be 'trusted' up to a given SLSA level.

During verification of artifacts, the verifier can then automatically determine that the build system used meets the build requirements by checking if the keys used to sign the provenance are 'trusted' at the target SLSA level.

TomHennen avatar Sep 07 '21 13:09 TomHennen

Issue https://github.com/slsa-framework/slsa/issues/46 "Policy & Verification" is related to this. As is #478 on achieving automatic verification.

joshuagl avatar Oct 03 '22 13:10 joshuagl

I'm repurposing this issue to cover the general issue of how systems and artifacts are verified to meet the SLSA requirements, de-duplicating other issues here. See the updated top comment for the latest.

MarkLodato avatar Oct 17 '22 14:10 MarkLodato

Now that we've closed the 'verifying systems' bug, we can close this one as well.

kpk47 avatar Mar 20 '23 18:03 kpk47