-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support verification of generic builders #734
Comments
Thanks for the issue. @ramonpetgrave64 I think it'd be useful to have one tool to verify many builders, as it improves UX for end-users |
I dont have a technical solution in mind as of now, but wanted to create this ticket to raise awareness that we will need some kind of generic way to verify attestations generated from different builders unless you put all the burden to the user to figure out by himself how artifacts with attestations can be verified. |
Would something like an interface https://github.com/slsa-framework/slsa-verifier/blob/main/verifiers/internal/gcb/slsaprovenance/iface/provenance.go help? Do you imagine some sort of plugin mechanism or a way for developers to extend the slsa-verifier with a fork where they add their own code, eg via an interface as above? |
What kinds of unknown builders are you thinking? Are they still github actions? |
They may be builder for CircleCI or others, even private builder. So there are not GitHub based |
I would also like to see this. While the SLSA data formats themselves are generic and pretty well documented, the infrastructure around is quite use-case specific. I'm considering generating provenance attestation data in KAS. The implementation is quite straight-forward, but testing this is nearly impossible as I can only verify the data with my own tooling. By that, I can't be sure to correctly generate the "statement" and the DSSEv1 "envelope". This makes it impossible to check interoperability. Also a lot of documentation, tooling and end-to-end examples are still based on the in-toto v0.1 spec (link format), which is not very helpful. For a wider adoption of in-toto / SLSA, it would tremendously help to have a generic tool that works on information passed on the command line:
The tool should check the following:
|
Will any of you attend the OSS@NA in Seattle next month? |
I will be at the co-located "Embedded OSS Summit". Let's meet. |
Great. How do we get in touch? Slack? Email? |
Right now the slsa-verifier is designed around a closed-world assumption, i.e. it can validate attestations generated by known builders and rejects attestations for unknown builders.
Ideally, there would be a set of generic requirements that must be fulfilled by any SLSA compliant builder which can be verified by the slsa-verifier in order to conclude if the given attestation is valid.
This would help to work on other builders.
The text was updated successfully, but these errors were encountered: