Add support for SLSA 1.0 predicate #2860
Comments
|
AFAIK, cosign uses in-toto-golang (v0.0.7) to consume spec. And I saw that PR by @asraa merged to the next branch of that project. So, once the newest version of in-toto-golang is released with the SLSA v1 support, we'll update the in-toto-golang dep on cosign side and make necessary updates based on that spec. |
|
Thank! I'll check the ticket there. |
|
V1 support merged - in-toto/in-toto-golang#223 |
|
any updates on this issue getting addressed? we at harness are looking to use cosign for slsa provenance generation and want to make sure we adhere to the slsa 1.0 spec |
|
No progress, though it should be straightforward to implement. We should make sure we continue to support verifying 0.2 attestations. |
|
I'm interested in writing a PR for this if it's not active... I probably won't have a chance to get to it until next week though. Is there any process I should follow to prevent overlapping if I start working on it? Also: would it make sense to add this as |
…store#3219) * Add SLSA 1.0 attestation support to cosign Signed-off-by: Canaan Silberberg <csilberberg@etsy.com> * fix leading whitspace Signed-off-by: Canaan Silberberg <csilberberg@etsy.com> * fix 1.0 typo Signed-off-by: Canaan Silberberg <csilberberg@etsy.com> * add slsaprovenance02 type Signed-off-by: Canaan Silberberg <csilberberg@etsy.com> --------- Signed-off-by: Canaan Silberberg <csilberberg@etsy.com>
Cosign supports the v0.2 SLSA predicate through the
--type slsaprovenanceflag on theattestandattest-blobcommands. SLSA 1.0 Release Candidate 1 (RC1) is out and RC2 should be coming out today. By the end of this month (April 2023) it is expected that SLSA v1.0 will be officially released. We don't expect any new major changes to the SLSA provenance predicate.For reference, here's the specification for the predicate: https://slsa.dev/provenance/v1-rc1
The text was updated successfully, but these errors were encountered: