-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting SLSA ("Supply-chain Levels for Software Artifacts") compliance #181
Comments
We do already guarantee the integrity of most software in our docker images. The privatebin release is validated using the gpg signatures: docker-nginx-fpm-alpine/Dockerfile Lines 56 to 59 in 65ceef0
We use Alpine Linux as a base image and it's apk package manager does verify the packaged items integrity, alpine also strives for reproducible builds and all the downloaded source files hashes are part of the packages spec, so when they get built or rebuilt the sources get validated each time and the built artifacts are also verified through apk itself when you install them. The part that I'm unsure about is the composer installed PHP libraries - I've not researched if it does any form of signature validation or such. The PB release is downloaded within the container image, so if we wanted to switch from the gpg signatures to this new tool, we needed that tool to have gotten packaged for alpine. What I do like about the gpg approach is that we can do that verification offline, because we included the public key in the repo - we frequently had issues when the public key had to be downloaded first. The SLSA process relies on an online PKI, so it would probably re-introduce that fragility. I don't mind having introduced SLSA signatures for third parties to consume, but I don't think it adds any value switching the attestation method in our docker images. gpg is also more prevalent than this new tool and found pre-installed on many linux distros (i.e. in all Debian derivatives, as gpg is used in the package management). slsa-verifier, in contrast, is not yet commonly available via package management - installing and/or building it from source introduces it's own attestation challenge. |
Yeah then we can focus on first providing slsa signatures for this build for the outside to consume. Anyway I guess proper verification would be to verify the slsa signatures we can because it provides different security properties. |
Okay now that we have SLSA compliance on the PirvateBin (PHP) project itself, we can continue here.
Steps needed
From what I see:
Implementation
The text was updated successfully, but these errors were encountered: