Skip to content

Commit

Permalink
resourceUri SHOULD match the download URI
Browse files Browse the repository at this point in the history
When verifying VSAs consumers are expected to match the resourceUri
with the 'expected value' but the spec doesn't currently indicate
how that expected value is to be determined.

In this change we suggest the resourceUri be set to the URI
the consumer will fetch the artifact from. If it's set to something
else the producer MUST tell the user how to determine the expected
value.

fixes slsa-framework#1212

Signed-off-by: Tom Hennen <[email protected]>
  • Loading branch information
TomHennen committed Oct 24, 2024
1 parent 8bd9129 commit f3974cf
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions docs/spec/draft/verification_summary.md
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,13 @@ of the other top-level fields, such as `subject`, see [Statement]._
`resourceUri` _string ([ResourceURI]), required_

> URI that identifies the resource associated with the artifact being verified.
>
> The `resourceUri` SHOULD be set to the URI the producer expects the consumer
> to fetch the artifact being verified from. This enables the consumer to easily
> determine the expected value when [verifying](#how-to-verify). If the
> `resourceUri` is set to some other value, the producer MUST communicate the
> expected value, or how to determine the expected value, to consumers through
> out-of-band channel.
<a id="policy"></a>
`policy` _object ([ResourceDescriptor]), required_
Expand Down

0 comments on commit f3974cf

Please sign in to comment.