Support verification for npm SLSA v1.0 #614

laurentsimon · 2023-05-24T17:45:17Z

No description provided.

ianlewis · 2023-06-16T02:30:11Z

What is "npm v1.0"?

laurentsimon · 2023-06-21T21:23:49Z

Updated the title.. I meant npm SLSA v1.0 format

laurentsimon · 2023-06-29T17:03:37Z

npm CLI is close to having support for v1 format npm/cli#6613

ramonpetgrave64 · 2024-07-03T16:59:22Z

Duplicate to #450

Fixes #614, #450, #449, #515 Adds support for NPM CLIs build provenances, generated when running `npm publish --provenance --access public` from a [GitHub Actions workflow](https://github.com/ramonpetgrave64/gundam-visor/blob/599500821344b070902a7a5666064bfdaba715df/.github/workflows/npm-publish.yml#L21). ## Testing - added unit tests for some new helper functions - added regression test cases ## Future work - #493, so we can do `--print-provenance` - implemented in #768 (comment) --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

laurentsimon added the specs:v1.0 label May 24, 2023

ianlewis added this to the Verification of npm packages built by OSSF GitHub builder milestone May 25, 2023

laurentsimon changed the title ~~Support verification for npm v1.0~~ Support verification for npm SLSA v1.0 Jun 21, 2023

ianlewis removed this from the Verification of npm packages GA milestone Jun 26, 2023

laurentsimon mentioned this issue Sep 27, 2023

feat: support npm v1.0 #706

Closed

ramonpetgrave64 mentioned this issue May 17, 2024

feat: VerifyNpmPackage API with supplied tuf client #768

Open

ramonpetgrave64 mentioned this issue Jun 4, 2024

feat: support npm cli provenance v1 attestations #776

Merged

ramonpetgrave64 closed this as completed Jul 3, 2024

Provide feedback