Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

content: resourceUri SHOULD match the download URI #1220

Merged
merged 3 commits into from
Nov 7, 2024

Conversation

TomHennen
Copy link
Contributor

When verifying VSAs consumers are expected to match the resourceUri with the 'expected value' but the spec doesn't currently indicate how that expected value is to be determined.

In this change we suggest the resourceUri be set to the URI the consumer will fetch the artifact from. If it's set to something else the producer MUST tell the user how to determine the expected value.

fixes #1212

When verifying VSAs consumers are expected to match the resourceUri
with the 'expected value' but the spec doesn't currently indicate
how that expected value is to be determined.

In this change we suggest the resourceUri be set to the URI
the consumer will fetch the artifact from. If it's set to something
else the producer MUST tell the user how to determine the expected
value.

fixes slsa-framework#1212

Signed-off-by: Tom Hennen <[email protected]>
Copy link

netlify bot commented Oct 24, 2024

Deploy Preview for slsa ready!

Name Link
🔨 Latest commit cbe3b40
🔍 Latest deploy log https://app.netlify.com/sites/slsa/deploys/671bdf068cd82e000874c35f
😎 Deploy Preview https://deploy-preview-1220--slsa.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@TomHennen TomHennen changed the title resourceUri SHOULD match the download URI content: resourceUri SHOULD match the download URI Oct 24, 2024
@TomHennen
Copy link
Contributor Author

@adityasaky this was your suggestion, so I'd love your thoughts too.

Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
Copy link
Contributor

@hepwori hepwori left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Copy link
Member

@adityasaky adityasaky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@TomHennen
Copy link
Contributor Author

I think we need one more maintainer to approve this PR before we merge. @lehors, @trishankatdatadog, or @mlieberman85 would you mind taking a look?

Copy link
Member

@mlieberman85 mlieberman85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@adityasaky adityasaky merged commit 5fea409 into slsa-framework:main Nov 7, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

Clarify how end-users can know the expected value of resourceUri in a VSA
6 participants