Google Git
Sign in
fuchsia / infra / infra / 1103f714ed863b4e7aacc83c1d6e6eeb41c3c416
commit1103f714ed863b4e7aacc83c1d6e6eeb41c3c416[log] [tgz]
authorChris Lewis <cflewis@google.com>Thu Sep 07 22:04:07 2023 +0000
committerCQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com>Thu Sep 07 22:04:07 2023 +0000
tree4a95b464f096a083c999c390db8a3d9c354237d5
parentdb3d0aff13e5811ef9995e4212df88247668aea3 [diff]
[recipe_wrapper] Use a in-toto attestation

This change modifies the use of the attestation tool to use an in-toto attestation.

The TL;DR is that there is a deprecated way of doing things called Core Provenance, which was the internal BCID implementation. Then came SLSA v0.1 which had its own attestation format which was then used by the in-toto organization. The attestation format appears to have been subsumed by in-toto, and so it's now an in-toto Statement instead which uses the SLSA provenance format and if you understand it all by now you're doing better than me.

The format appears to be rather loose and mostly human-readable metadata. I don't think anything but the subjects and digest are actually used for verification.

Bug: b/298073152
Bug: b/297416582

Change-Id: I86430bf8fcdc900a9d96d39ad6cf93214ec6a9aa
Reviewed-on: https://fuchsia-review.googlesource.com/c/infra/infra/+/912739
Commit-Queue: Chris Lewis <cflewis@google.com>
Reviewed-by: Nathan Mulcahey <nmulcahey@google.com>
5 files changed
tree: 4a95b464f096a083c999c390db8a3d9c354237d5
  1. artifacts/
  2. buildbucket/
  3. checkout/
  4. cmd/
  5. execution/
  6. flagutil/
  7. functools/
  8. gerrit/
  9. gitiles/
  10. monorail/
  11. rpcutil/
  12. scripts/
  13. third_party/
  14. vendor/
  15. .gitignore
  16. AUTHORS
  17. go.mod
  18. go.sum
  19. LICENSE
  20. manifest
  21. PATENTS
  22. README.md
README.md

infra

This repo contains tools and config files necessary to run infrastructure related to builds, code review, version control, and continuous integrations.