Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Consider creating an attestation predicate #87

Closed
puerco opened this issue Jul 10, 2024 · 2 comments
Closed

Consider creating an attestation predicate #87

puerco opened this issue Jul 10, 2024 · 2 comments
Assignees
@eddie-knight

Comments

@puerco
Copy link
Member

puerco commented Jul 10, 2024

The security insights data file captures information about the state of the project at a particular commit that is, essentially, a set of claims about it.

I think the project should consider creating a json variant that can be used as a predicate for an ( @in-toto ) attestation. This would allow us to sign and embed the security insights file (for example in a @sigstore bundle) using the existing tooling from those ecosystems.
@eddie-knight
Copy link
Contributor

Hey @puerco what do you think of the following?

I've got this drafted in #96 right now.

project:
  release:
      ...
      provenance:
        cryptography:
          attestation: https://foo.bar/attestation
          algorithm: sha256
        vex-data: https://foo.bar/vex
        hash-manifest: https://foo.bar/hash-manifest

@eddie-knight eddie-knight self-assigned this Dec 25, 2024
@eddie-knight
Copy link
Contributor

Worked with @puerco offline to design a new attestation object type that will support this. It will be included in the upcoming release (#97).

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@eddie-knight eddie-knight

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@puerco @eddie-knight