Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Attestations #1067

New issue
Copy link
New issue
Copy link
Open
Open
Attestations#1067
Copy link
Labels
enhancementNew feature or requestNew feature or requestv2Things belongs to version 2.xThings belongs to version 2.x
Milestone
2.1.0
@yizha1

Description

@yizha1
yizha1
opened on Oct 14, 2024
Issue body actions

Is your feature request related to a problem?

Description

An attestation is a cryptographically signed collection of claims related to one or more software artifacts. According to SLSA, an attestation consists of authenticated statements about a software artifact or a collection of software artifacts. Examples include signed provenance files or signed SBOM files for container images. Attestations are crucial for ensuring the security and trustworthiness of the software supply chain.

Attestations are typically involved in the processes of creating attestations for software artifacts and verifying them before using the corresponding software artifacts. For instance, users generate SBOM attestations for container images in CI/CD pipelines and verify these attestations at admission control before deploying the container images on K8s clusters.

In-toto attestations are popular in the cloud-native ecosystem as part of the in-toto framework, which is designed to secure the integrity of software supply chains. You can find existing vetted predicates. Below are some examples of their adoption:

To adopt in-toto attestations, the following open issues should be considered by the Notary Project community:

  • Unsupported Envelope Type: In-toto attestations utilize the DSSE envelope and do not support the Notary Project signature envelopes such as JWS/COSE.
  • Performance concern: Since the attestation includes the payload, large payload sizes (e.g., an SBOM for a Windows image, which could be hundreds of megabytes) can lead to performance issues during attestation download and verification.

Request

This issue requests the Notary Project to identify scenarios, create specifications, and provide reference implementations for attestations, including:

  • Scenarios for using attestations throughout the cloud-native secure supply chain.
  • Notary Project specification of the attestation format and storage in OCI-compliant registries.
  • Notary Project specification of workflows for creating and verifying attestations.
  • Reference implementation (Notation) of Notary Project attestation specifications including CLI specifications
  • Integration of Notary Project attestation tooling into popular CI/CD pipelines.

Your comments are welcome.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestNew feature or requestv2Things belongs to version 2.xThings belongs to version 2.x

    Type

    No type

    Projects

    Notary Project Planning Board

    Status

    Todo
    Show more project fields

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.