Does SLSA prescribe a way to sign provenance?

[Clement]

From what I've understood, SLSA defines the requirements to meet "what" and not the "how". 

I've been using Gitlab to generate provenance for artifacts but what's the recommended way sign & allow users to verify and perform attestation?

[Tony Loehr]

Hey Clement,

I can walk through this with you. What’s your calendar availability this week?

Best,

Tony

On Thu, Oct 6, 2022 at 1:23 AM Clement <transc...@gmail.com> wrote:

From what I've understood, SLSA defines the requirements to meet "what" and not the "how". 

I've been using Gitlab to generate provenance for artifacts but what's the recommended way sign & allow users to verify and perform attestation?

--
You received this message because you are subscribed to the Google Groups "slsa-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to slsa-discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/d90e4d19-36de-4599-83d3-22ae6b7b2579n%40googlegroups.com.

--

Best,

Tony Loehr

Developer Advocate, Cycode

[Abhishek Arya]

Clement, here is the community blog post on how to generate and sign SLSA provenance.

To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CA%2B4JDKFg%3D1xLXJPAptJEhjC14bhr76WGecjiLQtk0bs1_szOHA%40mail.gmail.com.

[Michael Lieberman]

Feel free to also ask in the #slsa channel in OpenSSF slack - https://slack.openssf.org/. We're all pretty responsive.

With that being said, there's lots of ways to generate signed attestations and verifying those attestations. There's OpenSSF projects like Sigstore but SLSA doesn't require a specific tool or technology. I also recommend taking a look at the Getting Started page: https://slsa.dev/get-started which lists a few ways.

To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CAHiK-Uziuqt4S73HUYgrsfMYZW7MDrVGb2ivZJF3CyEZSA7x8Q%40mail.gmail.com.