content: resourceUri SHOULD match the download URI (#1220)

When verifying VSAs consumers are expected to match the resourceUri with the 'expected value' but the spec doesn't currently indicate how that expected value is to be determined. In this change we suggest the resourceUri be set to the URI the consumer will fetch the artifact from. If it's set to something else the producer MUST tell the user how to determine the expected value. fixes #1212 --------- Signed-off-by: Tom Hennen <tomhennen@google.com>
slsa-framework · Nov 7, 2024 · 5fea409 · 5fea409
1 parent 40c8f92
commit 5fea409
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/docs/spec/draft/verification_summary.md b/docs/spec/draft/verification_summary.md
@@ -155,6 +155,13 @@ of the other top-level fields, such as `subject`, see [Statement]._
 `resourceUri` _string ([ResourceURI]), required_
 
 > URI that identifies the resource associated with the artifact being verified.
+>
+> The `resourceUri` SHOULD be set to the URI from which the producer expects the
+> consumer to fetch the artifact for verification. This enables the consumer to
+> easily determine the expected value when [verifying](#how-to-verify). If the
+> `resourceUri` is set to some other value, the producer MUST communicate the
+> expected value, or how to determine the expected value, to consumers through
+> an out-of-band channel.
 
 <a id="policy"></a>
 `policy` _object ([ResourceDescriptor]), required_