-
See https://www.w3.org/TR/SRI/#the-integrity-attribute
> 3.1 Integrity metadata
To verify the integrity of a response, a user agent requires integrity metadata as part of the [request](https://fet…
-
If someone is using a build platform that does not have provenance generation tooling built out yet (so not GitHub or GitLab etc) - in order to meet level 1 there seems to be a conflict in the get sta…
-
# (High) Missing integrity protection for Stacks transactions issued by signer
## 1. Description
In order to issue Stacks transactions, the signer has to sign the hash over members in structs su…
-
Hi,
in the pkcs7 implementation, function NewSignedData in sign.go defaults to using SHA-1 as digest algorithm.
https://github.com/smallstep/pkcs7/blob/5e2c6a136dfaa418340bb4a7eb0d0c7421d4934c/sig…
-
`DIGEST_SIZE = hashlib.md5().digest_size` [code](https://github.com/awslabs/kinesis-aggregation/blob/e631fe742486f4d7ef20f5619ebc57919e12f9b6/python/aws_kinesis_agg/__init__.py#L22C15-L22C40) fails …
-
- https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API/Non-cryptographic_uses_of_subtle_crypto#hashing_a_file
- https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest
- could …
-
I would like to start a discussion about how the above should like, i.e., what is a way for different parties to attest that they have reviewed a definition to be valid, and how to convey that trust t…
-
### Feature Request
### Description
Currently it is not possible to verify the authenticity or cryptographic integrity of the downloads from sourceforge or github.com because the releases are not …
-
SLSA provenance define digests as "cryptographic digests for the **contents** of the artifact".
However, the git examples use "commit hash" which does not match the specification.
A possible fix i…
-
### Feature Request
Currently it is not possible to verify the cryptographic authenticity after downloading the Trust Wallet software because the releases are not cryptographically signed.
This …