You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What will we verify if our provenance file and steps/materials are not signed? Perhaps I'm misunderstanding something here. Of course, we could verify that the file has a proper format, but this does not seem like the objective of this command.
I'm trying to understand how this would apply in our situation.
Once we have provenance generated, it would also be handy to be able to verify the provenance.
In practice this means we need to be able to execute the attestations from the in-toto statement.
Verifying the provenance file would in general be something that is executed in a admission-controller before something is installed in production.
See here a reference of the in-toto statement
https://github.com/in-toto/attestation
See here another binary implementing in-toto including a verify command.
https://github.com/in-toto/in-toto-golang
The text was updated successfully, but these errors were encountered: