Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SLSA3 #95

Open
plastikfan opened this issue Feb 20, 2023 · 3 comments
Open

Add SLSA3 #95

plastikfan opened this issue Feb 20, 2023 · 3 comments
Assignees
@plastikfan
Labels
chore Non source related, infrasture change wontfix This will not be worked on

Comments

@plastikfan
Copy link
Contributor

plastikfan commented Feb 20, 2023
edited
Loading

See: General availability of SLSA3 Generic Generator for GitHub Actions

May also need to look into SLSA Go releaser

Start here

This issue depends on the (automated release process to be defined (go-releaser), see #42
@plastikfan plastikfan added the chore Non source related, infrasture change label Feb 20, 2023
@plastikfan plastikfan self-assigned this Feb 20, 2023
@plastikfan
Copy link
Contributor Author

An example: ko-build

@plastikfan
Copy link
Contributor Author

plastikfan commented Mar 2, 2023
edited
Loading

AT = Attestation

Getting started with SLSA

Reaching SLSA Level 1:

  • Automate builds
  • Produce provenance data

Even though an automated build process has already been defined with github actions, this still isn't enough as it does not include an automated release process, which we need to implement with goreleaser, (Issue 42)

Provenance

Provenance, need understanding of:

Attestation

Essentially this is code signing (I wonder if this is only applicable to binaries and not libraries, as in the case of the libary, we don't create a binary, the client does as part of their build process). However, when we tag a release, there is a zipped version of the repo (like a snapshot), perhaps we can sign this.

An AT is more than just a signature. It backs up the signature to describe HOW we
created the signature. Eg an AT may include how an artefact was created, ie what
build command was used to create it.

Recommended Suite:

The AT model -

Provenance

Describes HOW an artefact was produced.

The Provenance model -

System Inputs (evaluated to create Build Config). (For schema, See: provenance/v0.2)

  • environment
  • config source
  • parameters

External Inputs

  • materials (source code I think)

Executed with Build Config and Materials to produce Subject

@plastikfan plastikfan added the wontfix This will not be worked on label Mar 9, 2023
@plastikfan
Copy link
Contributor Author

this is not required for a library

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@plastikfan plastikfan

Labels
chore Non source related, infrasture change wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@plastikfan