ankneis
commented
2 months ago 🚢 This has shipped: https://github.blog/changelog/2024-05-02-artifact-attestations-public-beta
Closed github-product-roadmap closed 2 months ago
ankneis
commented
2 months ago 🚢 This has shipped: https://github.blog/changelog/2024-05-02-artifact-attestations-public-beta
Summary
The SLSA framework defines a gradually increasing set of security measures designed to ensure the integrity of software artifacts throughout the supply chain. Once an organization reaches SLSA Build Level 2, they’ve implemented a substantial set of best practices to help secure their software supply chain.
Summary
Sigstore and SLSA (Supply chain levels for Software Artifacts) are two initiatives designed to ehance the security of the software supply chain.
The Sigstore project provides infrastructure for keyless signing, verifying, and protecting software. By using cryptographic signatures, Sigstore enables developers and users to verify the integrity an dorigin of software artifacts, thus preventing insertion of malicious code during the sofware development and distribution process. In addition to the tooling the project sponsors graciously host a public good instance with transparency log to enable the broader community to adopt signing as part of their workflow.
Supply-chain Levels for Software Artifacts (SLSA) is a security framework that helps ensure the security and integrity of your software supply chain. In particular it defines a build provenance attestation to describe how an artifact of set of artifacts was produced. The build provenance contains information such as the repository, commit, and workflow where the artifact was produced which you may not want published to a public log.
Intended Outcome
Artifact Attestations enables you to realize all of the benefits of Sigstore and SLSA while keeping your information private.
How will it work?
Customers will be able to: