mlieberman85
commented
1 year ago Signing the artifact itself is out of scope, but signing the provenance metadata itself is in scope. What does ADO mean here? I'm familiar with ATO (authorization to operate) but unfamiliar with ADO.
As far as tools go for generating/signing most are either plugins to the build or build systems themselves. There's a bunch under the slsa-framework org like: https://github.com/slsa-framework/slsa-github-generator which will help if building using github. It will generate provenance and sign that provenance. There are also other OpenSSF projects like FRSCA: https://github.com/buildsec/frsca which aim to be an end to end build system.
Separately for validating provenance at deployment time, most of the tools that support it today tend to be focused around kubernetes like Kyveno which can validate signatures and elements in the SLSA attestation. There are also other tools like the SLSA verifier: https://github.com/slsa-framework/slsa-verifier. This and some other tools like OPA and cosign can be used to verify provenance and then when hooked into a deployment tool can help with gating.
1633605
We have started using SLSA with ADO and would like to explore few scenarios as below.
Is there any tool or utility available along with SLSA to sign artifact and verify the integrity of the artifact during deployment step. Please share if there is something available.