Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attestations #1067

Open
yizha1 opened this issue Oct 14, 2024 · 0 comments
Open

Attestations #1067

yizha1 opened this issue Oct 14, 2024 · 0 comments
Labels
enhancement New feature or request v2 Things belongs to version 2.x
Milestone
2.1.0

Comments

@yizha1
Copy link
Contributor

yizha1 commented Oct 14, 2024
edited
Loading

Is your feature request related to a problem?

Description

An attestation is a cryptographically signed collection of claims related to one or more software artifacts. According to SLSA, an attestation consists of authenticated statements about a software artifact or a collection of software artifacts. Examples include signed provenance files or signed SBOM files for container images. Attestations are crucial for ensuring the security and trustworthiness of the software supply chain.

Attestations are typically involved in the processes of creating attestations for software artifacts and verifying them before using the corresponding software artifacts. For instance, users generate SBOM attestations for container images in CI/CD pipelines and verify these attestations at admission control before deploying the container images on K8s clusters.

In-toto attestations are popular in the cloud-native ecosystem as part of the in-toto framework, which is designed to secure the integrity of software supply chains. You can find existing vetted predicates. Below are some examples of their adoption:

To adopt in-toto attestations, the following open issues should be considered by the Notary Project community:

  • Unsupported Envelope Type: In-toto attestations utilize the DSSE envelope and do not support the Notary Project signature envelopes such as JWS/COSE.
  • Performance concern: Since the attestation includes the payload, large payload sizes (e.g., an SBOM for a Windows image, which could be hundreds of megabytes) can lead to performance issues during attestation download and verification.

Request

This issue requests the Notary Project to identify scenarios, create specifications, and provide reference implementations for attestations, including:

  • Scenarios for using attestations throughout the cloud-native secure supply chain.
  • Notary Project specification of the attestation format and storage in OCI-compliant registries.
  • Notary Project specification of workflows for creating and verifying attestations.
  • Reference implementation (Notation) of Notary Project attestation specifications including CLI specifications
  • Integration of Notary Project attestation tooling into popular CI/CD pipelines.

Your comments are welcome.
@yizha1 yizha1 added enhancement New feature or request triage Need to triage labels Oct 14, 2024
@yizha1 yizha1 mentioned this issue Oct 14, 2024
Open
@yizha1 yizha1 added this to the 2.1.0 milestone Oct 15, 2024
@yizha1 yizha1 added v2 Things belongs to version 2.x and removed triage Need to triage labels Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request v2 Things belongs to version 2.x
Projects
Notary Project Planning Board
Status: Todo
Milestone
2.1.0
Development

No branches or pull requests
1 participant
@yizha1