-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature][npm] Verify consistency between cert and provenance #493
Comments
If some fields cannot be verified because they are not present in the cert, I'm tempted to say we should remove them from the provenance that |
I agree but, even better, we should ask npm to remove them from the provenance they generate. We can create an issue on their repo to have them removed if we find any. We discussed this earlier and agreed in principle with the GitHub folks on this. |
Good idea. Please link the issue once you have created one on their repo |
I linked to here from the issue in their repo. Anyone who has access should see it above. |
Example of claims and change in parsing sigstore/fulcio#754 (comment) |
Done in #572. Closing |
* Add tags for renovate-bot * fix checkout * Pin to codeql-action 2.1.15
reopening, since slsa-verifier/verifiers/internal/gha/npm.go Lines 224 to 229 in 18c5f13
|
fix pending in #768 #768 (comment) |
Fixes #614, #450, #449, #515 Adds support for NPM CLIs build provenances, generated when running `npm publish --provenance --access public` from a [GitHub Actions workflow](https://github.com/ramonpetgrave64/gundam-visor/blob/599500821344b070902a7a5666064bfdaba715df/.github/workflows/npm-publish.yml#L21). ## Testing - added unit tests for some new helper functions - added regression test cases ## Future work - #493, so we can do `--print-provenance` - implemented in #768 (comment) --------- Signed-off-by: Ramon Petgrave <[email protected]>
This is currently not possible but will land once the Fulcio claims have been standardized
The text was updated successfully, but these errors were encountered: