You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There's a distinction to be made between the signer and the builder for sigstore-based CLIs (npm). We currently have two builders allowed for npm verification: github-hosted and self-hosted. This is giving a false sense of security, because this value (in the cert) only guarantees the runner on which signing took place, not the actual build.
I'm wondering if we should remove this distinction altogether to avoid mis-leading users. We would have a single builder id we accept, which is the generic "https://github.com/actions/runner" instead of accepting of
There is a similar problem with our generators. Except that we don't expose github-hosted vs self-hosted now. And we can fix this problem by resolving slsa-framework/slsa-github-generator#1868
There's a distinction to be made between the signer and the builder for sigstore-based CLIs (npm). We currently have two builders allowed for npm verification:
github-hostedandself-hosted. This is giving a false sense of security, because this value (in the cert) only guarantees the runner on which signing took place, not the actual build.I'm wondering if we should remove this distinction altogether to avoid mis-leading users. We would have a single builder id we accept, which is the generic "https://github.com/actions/runner" instead of accepting of
slsa-verifier/verifiers/internal/gha/slsaprovenance/common/builders.go
Lines 18 to 20 in f09d99f
There is a similar problem with our generators. Except that we don't expose github-hosted vs self-hosted now. And we can fix this problem by resolving slsa-framework/slsa-github-generator#1868
@ramonpetgrave64
The text was updated successfully, but these errors were encountered: