Skip to content

[feature][npm] Verify consistency between cert and provenance #493

New issue
New issue
Open
#768
Open
[feature][npm] Verify consistency between cert and provenance#493
#768
Labels
area:npmAn issue with verification of npm packagestype:featureNew feature request
Milestone
Verification of npm packages GA
@laurentsimon

Description

@laurentsimon
laurentsimon
opened on Feb 18, 2023
Contributor

This is currently not possible but will land once the Fulcio claims have been standardized

Activity

ianlewis
added
type:featureNew feature request
area:npmAn issue with verification of npm packages
on Feb 21, 2023
laurentsimon

laurentsimon commented on Feb 21, 2023

@laurentsimon
laurentsimon
on Feb 21, 2023
ContributorAuthor

If some fields cannot be verified because they are not present in the cert, I'm tempted to say we should remove them from the provenance that --print-provenance prints. This requires some more discussions.
pros: only trust what can be verified
cons: someone how verifies their own package know that they have not altered with the content and may want to trust it anyway. Arguably they should be using a different builder if they want this level of guarantees

/cc @ianlewis @asraa

laurentsimon
added this to the Verification of npm Packages milestone on Feb 21, 2023
ianlewis

ianlewis commented on Feb 22, 2023

@ianlewis
ianlewis
on Feb 22, 2023 · edited by ianlewis
Member

If some fields cannot be verified because they are not present in the cert, I'm tempted to say we should remove them from the provenance that --print-provenance prints.

I agree but, even better, we should ask npm to remove them from the provenance they generate. We can create an issue on their repo to have them removed if we find any. We discussed this earlier and agreed in principle with the GitHub folks on this.

laurentsimon

laurentsimon commented on Feb 22, 2023

@laurentsimon
laurentsimon
on Feb 22, 2023
ContributorAuthor

Good idea. Please link the issue once you have created one on their repo

ianlewis

ianlewis commented on Feb 28, 2023

@ianlewis
ianlewis
on Feb 28, 2023
Member

I linked to here from the issue in their repo. Anyone who has access should see it above.

laurentsimon

laurentsimon commented on Mar 15, 2023

@laurentsimon
laurentsimon
on Mar 15, 2023
ContributorAuthor

Example of claims and change in parsing sigstore/fulcio#754 (comment)

laurentsimon

laurentsimon commented on May 18, 2023

@laurentsimon
laurentsimon
on May 18, 2023
ContributorAuthor

Done in #572. Closing

laurentsimon
closed this as completedon May 18, 2023
ianlewis
modified the milestones: Verification of npm packages built by default GitHub builder, Verification of npm packages GA on May 25, 2023
ramonpetgrave64
added a commit that references this issue on Apr 18, 2024

Add tags for renovate-bot (slsa-framework#493)

7b1729a
ramonpetgrave64
linked a pull request that will close this issue on May 21, 2024
ramonpetgrave64

ramonpetgrave64 commented on Jun 10, 2024

@ramonpetgrave64
ramonpetgrave64
on Jun 10, 2024
Contributor

reopening, since (n *Npm) verifiedProvenanceBytes() is not yet implemented.

slsa-verifier/verifiers/internal/gha/npm.go

Lines 224 to 229 in 18c5f13

func (n *Npm) verifiedProvenanceBytes() ([]byte, error) {
// TODO(#493): prune the provenance and return only
// verified fields.
// NOTE: we currently don't verify the materials' commit sha.
return []byte{}, nil
}

5 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:npmAn issue with verification of npm packagestype:featureNew feature request

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

      Development

      Participants

      @ianlewis@ramonpetgrave64@laurentsimon

      Issue actions
        [feature][npm] Verify consistency between cert and provenance · Issue #493 · slsa-framework/slsa-verifier