Comments (4)
I think it's definitely something that could be considered and supported. In order to keep it simpler, maybe it's something we should wait on implementing until folks are specifically asking for it?
If we did implement it, we could allow folks to specify their own address for rekor/fulcio servers in a config file at the base of the repo like the one slsa-github-generator-go has.
from slsa-github-generator.
Yeah, so when I heard about this project I thought of it as made up of two steps:
-
Taking workload identity information (like from GitHub Actions) and encoding it into an
in-toto
document withSLSA
predicates -
Generating a signed attestation of the
in-toto
document, so it can be verified downstream
For (2), there are many advantages of using public sigstore
infrastructure: individual projects don't have to manage PKI, there's a public transparency log, ... etc. The expectation is that this is what most open source projects would do.
But there might be cases where people don't want to use public sigstore
infrastructure, maybe because the don't want their transparency logs to be public, or because they have their own PKI they way to use. In that situation, it would be nice if this project supported just generating the in-toto
document (i.e. just step 1 - which they could then sign however they liked), or maybe even different options for signing other than public sigstore
infrastructure (i.e. step 2).
That said, there is a lot of value in having an opinionated paved path, and maybe having different options for (2) adds more confusion than it's worth. There's nothing stopping people from implementing support for their own PKI as they need it!
from slsa-github-generator.
we could allow folks to specify their own address for rekor/fulcio servers in a config file at the base of the repo like the one slsa-github-generator-go has.
The biggest challenge around here is verifying against the correct TUF root: folks would need to specify addresses for rekor/fulcio but also the trusted root CA and rekor public key they expect. That information would need to be pushed to the SLSA verifier as well.
I don't know the best solution for this yet. Do we specify the whole TUF root? On the generator side I suppose we only need to specify the rekor/fulcio, and the end-users need to know the TUF root.
from slsa-github-generator.
The biggest challenge around here is verifying against the correct TUF root
How do sigstore tools handle this currently?
from slsa-github-generator.
Related Issues (20)
- Upgrade upload/download-artifact in sync across all org HOT 4
- [e2e]: maven workflow_dispatch main default slsa3 HOT 2
- [e2e]: nodejs release main default slsa3 HOT 3
- [e2e]: nodejs push branch1 default slsa3 HOT 1
- [e2e]: nodejs push main custom_publish slsa3 HOT 1
- [feature] Update actions to Node 20 HOT 4
- [e2e]: maven workflow_dispatch main default slsa3 HOT 2
- [e2e]: nodejs push branch1 default slsa3 HOT 1
- [e2e]: nodejs release main default slsa3 HOT 3
- [e2e]: maven workflow_dispatch main default slsa3 HOT 3
- [e2e]: generic workflow_dispatch main tagname slsa3 HOT 1
- [e2e]: container push main default slsa3 HOT 1
- [e2e]: generic workflow_dispatch branch1 default slsa3 HOT 1
- [e2e]: generic workflow_dispatch main default slsa3 HOT 1
- [feature] e2e tests for #2727 HOT 2
- [e2e]: go tag main config-ldflags-assets slsa3 HOT 1
- [e2e]: maven workflow_dispatch main default slsa3 HOT 1
- [e2e]: nodejs push branch1 default slsa3 HOT 1
- [e2e]: delegator-lowperms tag main default slsa3 HOT 1
- [e2e]: nodejs release main default slsa3 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from slsa-github-generator.