-
Notifications
You must be signed in to change notification settings - Fork 128
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add "Source Repository Visibility At Signing" ext
Adding a new Fulcio cert extension: "Source Repository Visibility At Signing" Includes the source visibility at the time of signing/creating the certificate for GitHub Actions (backed by the `repository_visibility` clam in the GHA ID token). The plan is for GitLab to add a backing ID token claim to support this extension in the next few weeks. TL'DR - Attesting to source visibility in the certificate means we can verify wether a provenance attestation came from a public/private source repository without performing a network request to the source repository at the time of signing - If you want to verify source visibility some time after signing you will need to make a unauthenticated network request to the source repository uri - npm will start to verify this extension value (if it's set) at the time of publish and rejecting any public packages with provenance that come from a private source repository - npm will also perform a just-in-time reachability checks to the source repository/commit when viewing a package on npmjs.com - "Source Repository Visibility At Signing" extension will be optional in Fulcio to allow CI systems to omit it if they don't have access to this info See full discussion here: #1263 Signed-off-by: Philip Harrison <philip@mailharrison.com>
- Loading branch information
Showing
7 changed files
with
560 additions
and
474 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.