Comply with SLSA Build L3

io7m-com / northpike

Continuous integration

https://www.io7m.com/software/northpike

ISC License

1 stars 0 forks source link

Comply with SLSA Build L3 #12

Open io7m opened 1 year ago

io7m commented 1 year ago

https://slsa.dev/spec/v1.0/threats

One major part of this is generating "signed provenance":

https://slsa.dev/spec/v1.0/provenance

I'm not sure how this works for privately hosted northpike instances.

io7m commented 1 year ago

Agents may need to generate a keypair on startup, and send the public key to the server. The server can use this for authentication (instead of the current NPAccessKey) and this key can also be used to sign provenance.