Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

content: recommend a VSA include the policy's digest #979

Merged
merged 2 commits into from
Nov 13, 2023
Merged

content: recommend a VSA include the policy's digest #979

merged 2 commits into from
Nov 13, 2023

Conversation

joshuagl
Copy link
Member

Recommended that the digest field of ResourceDescriptor is set in a Verification Summary Attestation's (VSA) policy object.

Fixes: #803

@netlify
Copy link

netlify bot commented Oct 10, 2023
edited
Loading

Deploy Preview for slsa ready!

Name Link
🔨 Latest commit f41a8d6
🔍 Latest deploy log https://app.netlify.com/sites/slsa/deploys/6552715af8140a000814c81d
😎 Deploy Preview https://deploy-preview-979--slsa.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@joshuagl joshuagl mentioned this pull request Oct 10, 2023
Open
7 tasks
MarkLodato
MarkLodato approved these changes Oct 10, 2023
View reviewed changes
Copy link
Member

@MarkLodato MarkLodato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Related: I believe there was a separate issue/PR to make policy optional (maybe recommended?) since it's not strictly required. That doesn't impact this PR, but just FYI.

@joshuagl
Copy link
Member Author

Related: I believe there was a separate issue/PR to make policy optional (maybe recommended?) since it's not strictly required. That doesn't impact this PR, but just FYI.

Thanks! That matches my mental model (I was surprised when working on this change that the policy was required). I agree, this change still works with that change (tracked as part of #878 but should probably be a separate issue).

@joshuagl joshuagl requested review from kpk47 and lehors October 12, 2023 10:17
arewm
arewm requested changes Oct 13, 2023
View reviewed changes
docs/spec/v1.1/verification_summary.md Outdated Show resolved Hide resolved
docs/spec/v1.1/verification_summary.md Outdated Show resolved Hide resolved
docs/spec/v1.1/verification_summary.md Outdated Show resolved Hide resolved
@joshuagl
content: recommend a VSA include the policy's digest
8b91f56 
Recommended that the `digest` field of `ResourceDescriptor` is
set in a Verification Summary Attestation's (VSA) `policy` object.

Signed-off-by: Joshua Lock <joshuagloe@gmail.com>
@joshuagl
Address review comments
f41a8d6 
Signed-off-by: Joshua Lock <joshuagloe@gmail.com>
@joshuagl joshuagl force-pushed the joshuagl/vsa-recommend-policy-digest branch from 9106849 to f41a8d6 Compare November 13, 2023 18:56
@joshuagl joshuagl merged commit 28bb70c into slsa-framework:main Nov 13, 2023
6 checks passed
@joshuagl joshuagl deleted the joshuagl/vsa-recommend-policy-digest branch November 13, 2023 18:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arewm arewm arewm requested changes

@MarkLodato MarkLodato MarkLodato approved these changes

@lehors lehors lehors approved these changes

@kpk47 kpk47 kpk47 approved these changes

@mlieberman85 mlieberman85 Awaiting requested review from mlieberman85

Assignees
No one assigned
Labels
None yet
Projects
Issue triage
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

VSA: should policy digest be mandatory
5 participants
@joshuagl @MarkLodato @kpk47 @lehors @arewm