Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Producing SLSA provenance for reproducible builds using Hermit #39

Open
asraa opened this issue Mar 8, 2023 · 0 comments
Open
Labels
enhancement New feature or request

Comments

@asraa
Copy link

asraa commented Mar 8, 2023

Feature Description

Hey! This is more of a request for a colaboration. Our team works on creating tools for SLSA provenance (SLSA is a project aimed at improving software supply chain integrity by producing verifiable provenance about the origin of the software and integrating it inside the software delivery pipeline).

We've been developing a container based provenance GitHub workflow that is able to produce verifiable and non-forgeable provenance for a build that uses a container base image and a specified script/command to run. This work is being done to support Project Oak's transparent release -- which aims to enhance remote attestations in TEEs with transparent, verifiable binary provenance.

The workflow creates provenance that is isolated from both the user and the build process, in order to produce provenance that could not have been manipulated (assuming trust in the workflow). The provenance record contains information needed for a verifier to reproduce the build -- and we have developed tools to support reproducibility.

Using Hermit inside a base image to create the build would hopefully provide a fully deterministic build.

Feature purpose and use cases
We'd like to demo or showcase the usage of Hermit inside a base image to produce a fully deterministic build output with verifiable build provenance.

We're wondering if (1) you have considered build provenance, and (2) if you would be interested in demonstrating usage of these tools together for demos and example.

cc @rbehjati @laurentsimon

@asraa asraa added the enhancement New feature or request label Mar 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant