-
**Description**
I generate my provenance.json file. When i execute
cosign attest --yes --predicate provenance.json --type slsaprovenance --key cosign.key **image:tag** the command fails and says …
-
We should include instructions on how the signatures of the binary images as well as the attestations can be verified.
e.g. `COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type slsaprovenance -…
-
We use this function to match the inputs to a workflow https://github.com/slsa-framework/slsa-verifier/blob/main/verifiers/internal/gha/slsaprovenance/common.go#L12.
We seem to always look at the …
-
The SLSA Provenance generated on GitHub does not include details about the workflow used to build a container image.
This makes it hard to create a policy rule that checks if a certain GitHub acti…
-
Hi,
we are noticing a lot of cases where packages are missing their licenses even though they can be found easily.
one of the examples for python packages is 'pydantic':
1. both on https://pypi.…
-
Error:
```
FAILED: SLSA verification failed: verified intoto provenance does not match text provenance: diff ' gcb.v01IntotoStatement{
StatementHeader: {Type: "https://in-toto.io/Statement/v0.1…
-
**Description**
In keyless mode with Cosign 1.9, an attestation that is attached to a container image using `cosign attach attestation` is not returned in a `cosign verify-attestations` command wit…
-
Right now the slsa-verifier is designed around a closed-world assumption, i.e. it can validate attestations generated by known builders and rejects attestations for unknown builders.
Ideally, there…
-
Getting `MANIFEST_UNKNOWN: manifest unknown` error
```sh
cosign download sbom ghcr.io/xmlking/grpc-starter-kit/greeter:latest --output-file=sbom.spdx
```
Error
```
Error: GET https://ghcr.…
-
Using `package: write` on the workflow is convenient but is not setting least privilege in the case where users are not using ghcr.io. We should force users to set the username and password and log in…