Implement verify command on slsa-provenance-action cli #43
Labels
enhancement
New feature or request
Comments
|
What will we verify if our provenance file and steps/materials are not signed? Perhaps I'm misunderstanding something here. Of course, we could verify that the file has a proper format, but this does not seem like the objective of this command. I'm trying to understand how this would apply in our situation. |
|
After discussion, this issue is more of a project on its own. We need to perform various steps before we can tackle this like:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Once we have provenance generated, it would also be handy to be able to verify the provenance.
In practice this means we need to be able to execute the attestations from the in-toto statement.
Verifying the provenance file would in general be something that is executed in a admission-controller before something is installed in production.
See here a reference of the in-toto statement
https://github.com/in-toto/attestation
See here another binary implementing in-toto including a verify command.
https://github.com/in-toto/in-toto-golang
The text was updated successfully, but these errors were encountered: