Closed trishankatdatadog closed 9 months ago
If one executes the following line of commands:
$ curl -Sso attestations.json $(npm view @trishankatdatadog/supreme-goggles@1.0.5 --json | jq -r '.dist.attestations.url') $ curl -Sso supreme-goggles.tgz "$(npm view @trishankatdatadog/supreme-goggles@1.0.5 --json | jq -r '.dist.tarball')" $ SLSA_VERIFIER_EXPERIMENTAL=1 slsa-verifier verify-npm-package supreme-goggles.tgz \ --attestations-path attestations.json \ --builder-id "https://github.com/actions/runner/github-hosted" \ --package-name "@trishankatdatadog/supreme-goggles" \ --package-version 1.0.5 \ --source-uri github.com/trishankatdatadog/supreme-goggles
One gets the following output:
Verifying npm package supreme-goggles.tgz: FAILED: invalid DSSE envelope payload: buildType is invalid: "https://github.com/npm/cli/gha/v2" for builder ID "https://github.com/actions/runner/github-hosted" FAILED: SLSA verification failed: invalid DSSE envelope payload: buildType is invalid: "https://github.com/npm/cli/gha/v2" for builder ID "https://github.com/actions/runner/github-hosted"
The root cause appears to be that a v2 of the NPM CLI build type was not considered.
If one executes the following line of commands:
One gets the following output:
The root cause appears to be that a v2 of the NPM CLI build type was not considered.