content: resourceUri SHOULD match the download URI

slsa-framework / slsa

Supply-chain Levels for Software Artifacts

https://slsa.dev

Other

1.56k stars 227 forks source link

content: resourceUri SHOULD match the download URI #1220

Closed TomHennen closed 3 weeks ago

TomHennen commented 1 month ago

When verifying VSAs consumers are expected to match the resourceUri with the 'expected value' but the spec doesn't currently indicate how that expected value is to be determined.

In this change we suggest the resourceUri be set to the URI the consumer will fetch the artifact from. If it's set to something else the producer MUST tell the user how to determine the expected value.

fixes #1212

netlify[bot] commented 1 month ago

Deploy Preview for slsa ready!

Name	Link
Latest commit	cbe3b40b9f680c2dc0301d06264618369546f95d
Latest deploy log	https://app.netlify.com/sites/slsa/deploys/671bdf068cd82e000874c35f
Deploy Preview	https://deploy-preview-1220--slsa.netlify.app
Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

TomHennen commented 1 month ago

@adityasaky this was your suggestion, so I'd love your thoughts too.

TomHennen commented 3 weeks ago

I think we need one more maintainer to approve this PR before we merge. @lehors, @trishankatdatadog, or @mlieberman85 would you mind taking a look?

slsa-framework / slsa

content: resourceUri SHOULD match the download URI #1220

✅ Deploy Preview for slsa ready!

Deploy Preview for slsa ready!