From f3974cf552d1bd1844814aadd06f1fea2ee76267 Mon Sep 17 00:00:00 2001 From: Tom Hennen Date: Thu, 24 Oct 2024 21:55:03 +0000 Subject: [PATCH 1/3] resourceUri SHOULD match the download URI When verifying VSAs consumers are expected to match the resourceUri with the 'expected value' but the spec doesn't currently indicate how that expected value is to be determined. In this change we suggest the resourceUri be set to the URI the consumer will fetch the artifact from. If it's set to something else the producer MUST tell the user how to determine the expected value. fixes #1212 Signed-off-by: Tom Hennen --- docs/spec/draft/verification_summary.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/spec/draft/verification_summary.md b/docs/spec/draft/verification_summary.md index c8922f07d..4876186b1 100644 --- a/docs/spec/draft/verification_summary.md +++ b/docs/spec/draft/verification_summary.md @@ -155,6 +155,13 @@ of the other top-level fields, such as `subject`, see [Statement]._ `resourceUri` _string ([ResourceURI]), required_ > URI that identifies the resource associated with the artifact being verified. +> +> The `resourceUri` SHOULD be set to the URI the producer expects the consumer +> to fetch the artifact being verified from. This enables the consumer to easily +> determine the expected value when [verifying](#how-to-verify). If the +> `resourceUri` is set to some other value, the producer MUST communicate the +> expected value, or how to determine the expected value, to consumers through +> out-of-band channel. `policy` _object ([ResourceDescriptor]), required_ From 883570fc2af4bd5218ec7270d1a583e867c6d18e Mon Sep 17 00:00:00 2001 From: Tom Hennen Date: Thu, 24 Oct 2024 22:00:39 +0000 Subject: [PATCH 2/3] missing word Signed-off-by: Tom Hennen --- docs/spec/draft/verification_summary.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/spec/draft/verification_summary.md b/docs/spec/draft/verification_summary.md index 4876186b1..d41249f35 100644 --- a/docs/spec/draft/verification_summary.md +++ b/docs/spec/draft/verification_summary.md @@ -161,7 +161,7 @@ of the other top-level fields, such as `subject`, see [Statement]._ > determine the expected value when [verifying](#how-to-verify). If the > `resourceUri` is set to some other value, the producer MUST communicate the > expected value, or how to determine the expected value, to consumers through -> out-of-band channel. +> an out-of-band channel. `policy` _object ([ResourceDescriptor]), required_ From cbe3b40b9f680c2dc0301d06264618369546f95d Mon Sep 17 00:00:00 2001 From: Tom Hennen Date: Fri, 25 Oct 2024 18:09:59 +0000 Subject: [PATCH 3/3] improve grammar Signed-off-by: Tom Hennen --- docs/spec/draft/verification_summary.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/spec/draft/verification_summary.md b/docs/spec/draft/verification_summary.md index d41249f35..03539b061 100644 --- a/docs/spec/draft/verification_summary.md +++ b/docs/spec/draft/verification_summary.md @@ -156,9 +156,9 @@ of the other top-level fields, such as `subject`, see [Statement]._ > URI that identifies the resource associated with the artifact being verified. > -> The `resourceUri` SHOULD be set to the URI the producer expects the consumer -> to fetch the artifact being verified from. This enables the consumer to easily -> determine the expected value when [verifying](#how-to-verify). If the +> The `resourceUri` SHOULD be set to the URI from which the producer expects the +> consumer to fetch the artifact for verification. This enables the consumer to +> easily determine the expected value when [verifying](#how-to-verify). If the > `resourceUri` is set to some other value, the producer MUST communicate the > expected value, or how to determine the expected value, to consumers through > an out-of-band channel.