Provenance of artifact

[1633605]

Hi,

once the provenance is generated, is there we can verify that artifact has not been tampered during deployment step and same artifact is being deployed from trusted source ?

[gattjoe]

Hi,

That would be a separate process that you compare the hash in the provenance with what is running in your production environment. Do you have a use case you can elaborate on?

[1633605]

As part of CI pipeline SLSA step is used which will generate build provenance (commit sha) and during release pipeline in Azure DevOps, We wanted to check if the same artifact is being deployed to prove integrity is maintained through out the pipeline as it goes to different environment targets ( provenance to be verified at production deployment stage).

[gattjoe]

Hi, so the ADO extension for this will publish an artifact. You could write a plugin that downloads the artifact at a later step, checks the SHA in the provenance and then checks the SHA of the artifact that's about to be deployed.