Architect a "Verified Reproducible Build Attestation"

[andrew-m-leonard]

Architect a "Verified Reproducible Build Attestation".

Some useful links:

• https://www.cisa.gov/sites/default/files/2024-03/CISA_RSAA_User_Guide_18_March_2024.pdf
• https://cyclonedx.org/capabilities/attestations/
• https://github.com/CycloneDX/specification/blob/master/tools/src/test/resources/1.6/valid-attestation-1.6.json
• https://github.com/in-toto/attestation/blob/main/README.md
• https://www.cisa.gov/resources-tools/resources/secure-software-development-attestation-form (and related DB for attestations and artifacts)
  • TODO, check if similar exists for EU
• https://www.cisa.gov/sites/default/files/2024-04/Self_Attestation_Common_Form_FINAL_508c.pdf
  • TODO, look at fields/requirements of the form and see if all are also valid for verification builds / as opposed to official published build)
• https://www.activestate.com/blog/everything-developers-need-to-know-about-attestations/
• https://cyclonedx.org/docs/1.6/json/#declarations_attestations

[andrew-m-leonard]

@tellison @smlambert fyi

[smlambert]

Also:

• https://www.cisa.gov/resources-tools/resources/secure-software-development-attestation-form (and related DB for attestations and artifacts)
  • TODO, check if similar exists for EU
• https://www.cisa.gov/sites/default/files/2024-04/Self_Attestation_Common_Form_FINAL_508c.pdf
  • TODO, look at fields/requirements of the form and see if all are also valid for verification builds / as opposed to official published build)
• https://www.activestate.com/blog/everything-developers-need-to-know-about-attestations/
• https://cyclonedx.org/docs/1.6/json/#declarations_attestations

[tellison]

Sigstore seems to be a center of gravity in the secure supply chain processes. We should seriously consider using the formats supported by Rekor to be able to use that infrastructure downstream.