-
Notifications
You must be signed in to change notification settings - Fork 506
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: New check for SLSA provenance generation #1776
Comments
Sounds like a good idea to me. Maybe expand the |
Provenance encompasses all the other signature schemes, since it contains a signature not only of the binary, but also of how the binary was produced ,so I'm inclined to retire the Anyone with an opinion, please chime in |
This is great! 👍 |
Sure, not tied to the I was thinking the new check will encompass all schemes - provenance but also signatures. |
yes, so long as there is tooling to achieve it.
provenance also contains a signature that covers the binary and additional information (builder ID, commands, etc), so it does encompasses the signature. |
Chiming in to say I'd like to start using SLSA with urllib3 but losing out on the Could we can get Scorecard to recognize |
We're not verifying signatures at all, because it's hard t find out the correct pubic key in practice. So we can definitely look for an .intoto.jsonl. |
I think that makes sense, especially as a means to convince people to start using SLSA. |
great. Anyone interested in sending a PR for this? This is the file to update https://github.com/ossf/scorecard/blob/main/checks/evaluation/signed_releases.go#L51, and we can add a unit test in https://github.com/ossf/scorecard/blob/main/checks/signed_releases_test.go |
This issue is stale because it has been open for 60 days with no activity. |
This issue is stale because it has been open for 60 days with no activity. |
This check may replace the
Signed-Release
checks and verify that the releases generate SLSA provenance using the official builders from https://github.com/slsa-framework/slsa. We can:.intoto.jsonl
fileThis should allow us to also provide some SLSA compliance flags for scorecard, e.g. something like
--slsa=3
The text was updated successfully, but these errors were encountered: