lulf
commented
1 year ago Notes to self: I originally thought this verification function would be passed the provenance document in order to create the verification document.
Instead, the the input to the verify function could be as simple as a name and a sha256 digest, and rely produce the summary based on that.
Usage:
slsa::verify<my-policy-pattern>The verify function takes a Provenance predicate, and performs a verification, producing a Verification Attestation Summary as described here.
Guidance on SLSA levels https://slsa.dev/spec/v0.1/requirements
The intended use is that consumers can create policies that enforce SLSA level 0-4 for their artifacts.