-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Make all builders use .build-slsa extension #3088
Comments
I kind of wonder if this is really the right approach. Not many file extensions refer to the intended use of the file as opposed to the format. e.g. So I think this may be fairly counter-intuitive for users. |
For BYOB, which produces Sigstore bundles, I'm wondering if |
@ianlewis, did you have a code pointer to where bundles are generated in slsa-github-generator? I was just poking around this. Other Sigstore clients are using |
Just filed #3750 to track bundle output. |
In BYOB builders, for better or worse, the generation of provenance is a multi-step process.
For pre-BYOB builders we generate DSSE wrapped SLSA provenance as |
Thanks for the pointers! I would suggest we pursue Sigstore bundles in #3750 as that gives us an easy way to bundle DSSEs with the necessary verification material for offline verification (cert and log proof). If we do want DSSEs as the outer envelope, we had also explored adding custom extensions to DSSE (secure-systems-lab/dsse#61) where you could specify an ecosystem-defined struct. This would be similar to the addition of the |
Sounds good to me. From a purity standpoint I wish we could not fully rely on a Sigstore format as we'd also like to support private PKI at some point (#34) but creating sigstore bundles by default seems best for offline verification purposes. To be clear though, this issue is around the file extension rather than the format itself. @laurentsimon had argued to use the |
I'll mention that the Sigstore bundle should work for private PKI as well. We've designed it to primarily support the spec-compliant path but it's decently flexible - timestamps aren't required, proofs aren't required, you can put certificates, cert chains, or public key identifiers. |
Good to know. |
No description provided.
The text was updated successfully, but these errors were encountered: