Verifying Artifacts

Tags

Top Highlights

• SLSA uses provenance to indicate whether an artifact is authentic or not, but provenance doesn’t do anything unless somebody inspects it.

• Package ecosystems verify an artifact’s provenance against a set of expectations.

• Example threats in this category include building from an unofficial fork or abusing a build parameter to modify the build. Usually expectations identify the canonical source repository (which is the main external parameter)

• A package version is considered to meet a given SLSA level if and only if the package ecosystem has verified its provenance against the package’s expectations.