[feature][npm] Verify consistency between cert and provenance

[laurentsimon]

This is currently not possible but will land once the Fulcio claims have been standardized

[laurentsimon]

If some fields cannot be verified because they are not present in the cert, I'm tempted to say we should remove them from the provenance that --print-provenance prints. This requires some more discussions. pros: only trust what can be verified cons: someone how verifies their own package know that they have not altered with the content and may want to trust it anyway. Arguably they should be using a different builder if they want this level of guarantees

/cc @ianlewis @asraa

[ianlewis]

If some fields cannot be verified because they are not present in the cert, I'm tempted to say we should remove them from the provenance that --print-provenance prints.

I agree but, even better, we should ask npm to remove them from the provenance they generate. We can create an issue on their repo to have them removed if we find any. We discussed this earlier and agreed in principle with the GitHub folks on this.

[laurentsimon]

Good idea. Please link the issue once you have created one on their repo

[ianlewis]

I linked to here from the issue in their repo. Anyone who has access should see it above.

[laurentsimon]

Example of claims and change in parsing https://github.com/sigstore/fulcio/issues/754#issuecomment-1470946162

[laurentsimon]

Done in https://github.com/slsa-framework/slsa-verifier/pull/572. Closing

[ramonpetgrave64]

reopening, since (n *Npm) verifiedProvenanceBytes() is not yet implemented. https://github.com/slsa-framework/slsa-verifier/blob/18c5f13b3ecdf5b79db7448291d3c5aa67683157/verifiers/internal/gha/npm.go#L224-L229

[ramonpetgrave64]

fix pending in #768 https://github.com/slsa-framework/slsa-verifier/pull/768#discussion_r1662938115