Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Comply with SLSA Build L3 #12

Open
io7m opened this issue Sep 21, 2023 · 1 comment
Open

Comply with SLSA Build L3 #12

io7m opened this issue Sep 21, 2023 · 1 comment
Assignees
@io7m
Labels
enhancement New feature or request server Issues involving the server

Comments

@io7m
Copy link
Member

io7m commented Sep 21, 2023
edited
Loading

https://slsa.dev/spec/v1.0/threats

One major part of this is generating "signed provenance":

https://slsa.dev/spec/v1.0/provenance

I'm not sure how this works for privately hosted northpike instances.
@io7m io7m added the enhancement New feature or request label Sep 21, 2023
@io7m io7m self-assigned this Sep 21, 2023
@io7m io7m mentioned this issue Sep 22, 2023
Closed
io7m added a commit that referenced this issue Sep 23, 2023
@io7m
Add commit signature verification and signing policies
4e953f3 
Affects: #13
Affects: #12
Affects: #4
@io7m io7m added the server Issues involving the server label Oct 9, 2023
@io7m
Copy link
Member Author

io7m commented Oct 9, 2023

Agents may need to generate a keypair on startup, and send the public key to the server. The server can use this for authentication (instead of the current NPAccessKey) and this key can also be used to sign provenance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@io7m io7m

Labels
enhancement New feature or request server Issues involving the server
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@io7m