As part of the donation process to in-toto, we need to ensure that Witness meets the proposed in-toto specification. This issue is meant to track and discuss the tasks that need to be completed.
[ ] Change policy language to match ITE-10
[ ] Switch from an attestation collection to an attestation bundle
[ ] Generate SLSA attestation. Most of the attributes for SLSA are going to be in the CI provider attestation and the command run attestation.
Questions:
Attestation Collections are verified as a single document. This has some nice properties; we can assume all of the attestations happened during the same invocation of witness. How do we bind the attestations in the bundle together?
We have extended DSSE to support timestamping and embedded cert chains. How do we do this if we want to bring the DSSE envelope into spec?
As part of the donation process to in-toto, we need to ensure that Witness meets the proposed in-toto specification. This issue is meant to track and discuss the tasks that need to be completed.
[ ] Change policy language to match ITE-10 [ ] Switch from an attestation collection to an attestation bundle [ ] Generate SLSA attestation. Most of the attributes for SLSA are going to be in the CI provider attestation and the command run attestation.
Questions: