-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify how multiple attestations may be needed to verify "source" requirements #241
Comments
This is what I was hoping to address in in-toto/attestation#47 (before we moved SLSA provenance back to this project). I had a proposal I was running past @joshuagl but we never actually finished it up. I've shared with you to get your feedback too. Should we continue discussion here or in in-toto/attestation#47 ? |
Right, forgot that was over there. Probably makes sense to continue over there for now but maybe leave this ticket open just so people know to look at it the discussion in-toto/attestation#47? |
@TomHennen does it make sense to create another github issue for the other thing described above? There might be the need to multiple attestations associated with an artifact based on who is making what claims? |
IMO it makes sense to have this issue be about the general high level problem ("Another related thing...") while in-toto/attestation#47 is about the specific Source Control predicate. |
On that topic I'd suggest we expect there to be multiple different attestations. I think that should make it easier to the processes issuing the attestations to have first-hand knowledge about what it is they're signing. In your example I think it could work like this:
WDYT? |
Yeah, I was thinking similar. |
reviving this old, still-relevant, discussion. My current take would be:
|
Related somewhat to: #129
Even though the provenance spec does allow you to point to source control for "materials," it doesn't allow for the ability to attest to "verified history," "retained indefinitely," or "two-person reviewed." You can implicitly assume if you have a source control uri like git that it's "version controlled."
Another related thing, and I'm unsure if there's an issue for this already but I think the documentation makes it unclear if the expectation is to have multiple attestations associated with an artifact to then allow the client to make a SLSA level judgement or if everything is intended to be included as part of a single attestation. In the case of multiple attestations would a source based one even include a "builder"?
I bring up the above because in secure CI environments you might have separate "builders" performing different tasks for an artifact build. Those builders might have their own identities and the build service might sign provenance based on those identities, e.g. SPIFFE/Spire.
For example, a flow like:
The text was updated successfully, but these errors were encountered: