feat: add slsa v1?draft provenance experimental support #470
Conversation
Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>
|
cc @laurentsimon this is ready for review. |
Signed-off-by: Asra Ali <asraa@google.com>
| // one must be set. We already check to ensure that they are mutually exclusive. | ||
| if ExperimentalEnabled() { | ||
| if !(cmd.Flags().Changed("provenance-path") || | ||
| cmd.Flags().Changed("bundle-path")) { |
There was a problem hiding this comment.
I'm curious if we want another options for this or simply re-use provenance-path?
Does a new option require users to be "aware" of the "type" of provenance file they want to verify? Is this OK?
There was a problem hiding this comment.
Hmm good point, from our perspective we will be having generators that may output DSSE or sigstore bundle, and clients may still want a uniform interface rather than switching over the extension type.
I can update to allow that -- we'll have to test unmarshal both to figure out the right type, but it will actually clean up the interface.
There was a problem hiding this comment.
I thought about this too but didn't comment since I figured that having separate options has the benefit of avoiding format type detection logic. If all types have the same security implications then probably it's fine, but if one format could be more secure than others then we might have to worry about downgrades.
There was a problem hiding this comment.
So long as we turn this option on my default the same content is present and same validations will occur. So let's definitely resolve this one before releasing.
Signed-off-by: Asra Ali asraa@google.com
Description:
feat: Adds slsa v1?draft provenance support with unit SLSA v1 provenance tests
feat: [EXPERIMENTAL] Adds
--bundle-pathoption to specify a Sigstore bundle.test: I've added unit tests with the SLSA v1 provenance.
Follow-up issue:
Fixes #464
Fixes #441