[feature][npm] Verify consistency between cert and provenance #493
Comments
ianlewis
added
type:feature
|
If some fields cannot be verified because they are not present in the cert, I'm tempted to say we should remove them from the provenance that |
I agree but, even better, we should ask npm to remove them from the provenance they generate. We can create an issue on their repo to have them removed if we find any. We discussed this earlier and agreed in principle with the GitHub folks on this. |
|
Good idea. Please link the issue once you have created one on their repo |
|
I linked to here from the issue in their repo. Anyone who has access should see it above. |
|
Example of claims and change in parsing sigstore/fulcio#754 (comment) |
|
Done in #572. Closing |
ianlewis
modified the milestones:
Verification of npm packages built by default GitHub builder,
Verification of npm packages GA
* Add tags for renovate-bot * fix checkout * Pin to codeql-action 2.1.15
|
reopening, since slsa-verifier/verifiers/internal/gha/npm.go Lines 224 to 229 in 18c5f13 |
|
fix pending in #768 #768 (comment) |
Fixes #614, #450, #449, #515 Adds support for NPM CLIs build provenances, generated when running `npm publish --provenance --access public` from a [GitHub Actions workflow](https://github.com/ramonpetgrave64/gundam-visor/blob/599500821344b070902a7a5666064bfdaba715df/.github/workflows/npm-publish.yml#L21). ## Testing - added unit tests for some new helper functions - added regression test cases ## Future work - #493, so we can do `--print-provenance` - implemented in #768 (comment) --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
This is currently not possible but will land once the Fulcio claims have been standardized
The text was updated successfully, but these errors were encountered: