From cd23e070072f31961c3657974cf81d3d8a276524 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 22 May 2024 05:15:53 +0900 Subject: [PATCH] chore: Fix markdown issues (#3658) # Summary Fix a couple small issues with markdown files. - Add alt text to images - Fix table row Fixes a couple issues in an upcoming version of markdown lint https://github.com/slsa-framework/slsa-github-generator/pull/3643/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5 ## Testing Process N/A ## Checklist - [x] Review the contributing [guidelines](https://github.com/slsa-framework/slsa-github-generator/blob/main/CONTRIBUTING.md) - [x] Add a reference to related issues in the PR description. - [x] Update documentation if applicable. - [x] Add unit tests if applicable. - [x] Add changes to the [CHANGELOG](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) if applicable. Signed-off-by: Ian Lewis --- README.md | 2 +- SPECIFICATIONS.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f67f8ffd33..d848b64f4f 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ [![Slack](https://img.shields.io/static/v1?label=openssf.slack.com&message=%23slsa-tooling&color=4A154B&logo=slack)](https://slack.openssf.org/) [![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev) - +SLSA logo diff --git a/SPECIFICATIONS.md b/SPECIFICATIONS.md index 38d80d271a..e28afb8ef2 100644 --- a/SPECIFICATIONS.md +++ b/SPECIFICATIONS.md @@ -234,7 +234,7 @@ Given an artifact and a signed provenance, we perform the following steps: 3. **Extract the builder identity from the signing certificate**: Extract certificate information (see [here](https://github.com/sigstore/fulcio/blob/c74e2cfb763dd32def5dc921ff49f579fa262d96/docs/oid-info.md#136141572641--fulcio) for extension OIDs). Verify that the signing certificate’s subject name (job_workflow_ref) is the trusted builder ID at a trusted hash (calling repository SHA in the diagram below). This verifies authenticity of the provenance and guarantees the provenance was correctly populated. - + certificate OIDs 4. **Verify the provenance attestation against a policy, as usual**: Parse the authenticated provenance and match the subject digest inside the provenance with the artifact digest. Additionally verify builder ID, configSource, and other properties according to policy. @@ -277,7 +277,7 @@ More specifically, below are a list of threats we aim to protect against: | Build same repo same version but non-default branch | Branch and versions both added to provenance using GitHub's trigger payload | Verify provenance info | | Build same repo different builder | Sigstore embeds trusted builder's path in cert | Verify cert's workflow path | | Build same repo using user-defined workflow | Sigstore embeds builder's path in cert | Verify cert's workflow path | -| Forge valid certificate with different repo/hash/builder through GitHub token leak | Token expires when job is complete, cleared after unmarshalling | +| Forge valid certificate with different repo/hash/builder through GitHub token leak | Token expires when job is complete, cleared after unmarshalling | | | Malicious env variables | Only accepts `CGO_*` and `GO*` env variables | Note: should be left to the verifier to decide | | Script injections | Filter option names using allow-list + use execve() | Note: should be left to the verifier to decide | | Malicious compiler options | Use allow-list | Note: should be left to the verifier to decide |