github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-10 02:26:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
903cddc5c33e1642e240ecc06f7872c7dd92baed
slsa-verifier/verifiers
History
Ramon Petgrave 8c9ed07f8f feat: fixes #547: add npm sigstore-tuf suport (#731) 
Addresses: https://github.com/slsa-framework/slsa-verifier/issues/547
 - [x] Pending: https://github.com/sigstore/sigstore-go/pull/41
Uses the new
[sigstore-go@0.2.0](https://github.com/sigstore/sigstore-go/releases/tag/v0.2.0)

Currently slsa-verifier has npmjs' attestation key hardcoded. But
sigstore now stores the same key within their own TUF root.

This PR 
- dynamically use the keyid specified in the sigstore bundle, rather
than the hardcoded keyid.
- uses an updated ([pending](
https://github.com/sigstore/sigstore-go/pull/41)) sigstore-go library
that allows us to fetch a signed and verified copy of the same key.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
2024-04-16 17:21:49 +00:00
..
internal
feat: fixes #547: add npm sigstore-tuf suport (#731)
2024-04-16 17:21:49 +00:00
utils
feat: Address unresolved comments from #705 (#708)
2023-10-09 23:17:48 +00:00
verifier.go
fix: Support npm v2 format (#704)
2023-09-21 17:10:01 -07:00