Open laurentsimon opened 1 year ago
If some fields cannot be verified because they are not present in the cert, I'm tempted to say we should remove them from the provenance that --print-provenance
prints. This requires some more discussions.
pros: only trust what can be verified
cons: someone how verifies their own package know that they have not altered with the content and may want to trust it anyway. Arguably they should be using a different builder if they want this level of guarantees
/cc @ianlewis @asraa
If some fields cannot be verified because they are not present in the cert, I'm tempted to say we should remove them from the provenance that --print-provenance prints.
I agree but, even better, we should ask npm to remove them from the provenance they generate. We can create an issue on their repo to have them removed if we find any. We discussed this earlier and agreed in principle with the GitHub folks on this.
Good idea. Please link the issue once you have created one on their repo
I linked to here from the issue in their repo. Anyone who has access should see it above.
Example of claims and change in parsing https://github.com/sigstore/fulcio/issues/754#issuecomment-1470946162
Done in https://github.com/slsa-framework/slsa-verifier/pull/572. Closing
reopening, since (n *Npm) verifiedProvenanceBytes()
is not yet implemented.
https://github.com/slsa-framework/slsa-verifier/blob/18c5f13b3ecdf5b79db7448291d3c5aa67683157/verifiers/internal/gha/npm.go#L224-L229
fix pending in #768 https://github.com/slsa-framework/slsa-verifier/pull/768#discussion_r1662938115
This is currently not possible but will land once the Fulcio claims have been standardized