Created example project: https://github.com/sethmlarson/python-slsa-release-test
Python doesn't have a specific builder yet. Only have source attestation using the generic builder. Used: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml
Attestation "subject.name" is taken as input from sha256sum, so check the output of that to ensure it's what you want (ie package.tar.gz vs dist/package.tar.gz) For this I had to include a cd dist/ && before the sha256sum * call. Not sure where this matters though?
Success:
./slsa-verifier-linux-amd64 \
-provenance artifacts.intoto.jsonl \
-artifact-path secure_package_template-0.2.0.tar.gz \
-tag 0.1.10 \
-source github.com/sethmlarson/python-slsa-release-test
Verified signature against tlog entry index 3121002 at URL: https://rekor.sigstore.dev/api/v1/log/entries/609aec4886e378f2159ff9c30e01fb9499d34a4a21848175cdf4b7b491e10293
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.0 at commit c8f8996e40ef7e0539d0b0ad405cf3abdbd20865
PASSED: Verified SLSA provenance
./slsa-verifier-linux-amd64 \
-provenance artifacts.intoto.jsonl \
-artifact-path secure_package_template-0.2.0-py3-none-any.whl \
-tag 0.1.10 \
-source github.com/sethmlarson/python-slsa-release-test
Verified signature against tlog entry index 3121002 at URL: https://rekor.sigstore.dev/api/v1/log/entries/609aec4886e378f2159ff9c30e01fb9499d34a4a21848175cdf4b7b491e10293
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.0 at commit c8f8996e40ef7e0539d0b0ad405cf3abdbd20865
PASSED: Verified SLSA provenance
- Opaque error message on annotated tags (slsa-framework/slsa-verifier#192)
- Doesn't give the Signed-Releases check for Scorecard (ossf/scorecard#1776 (comment))
- Doesn't work with annotated git tags (slsa-framework/slsa-verifier#193)
- Also doesn't work with lightweight tags not made to a branch head (slsa-framework/slsa-verifier#193 (comment))
- You can't upload
.intoto.jsonlfiles to GitHub issues without renaming them (community/community#28668) - Scorecard docks points if repository uses the Scorecard GitHub Action (ossf/scorecard#2152)
- GitHub security-events permission for write shouldn't allow reading (community/community#29710)
- Scorecard doesn't penalize reusable workflows that aren't pinned to a commit SHA (ossf/scorecard#2174)
- slsa-github-generator reusable workflow doesn't work when pinned to a commit SHA (slsa-framework/slsa-github-generator#722)
- slsa-verifier doesn't have a
-versionflag which helps with user debugging (slsa-framework/slsa-verifier#229) - Scorecard doesn't register "Packaging" if
actions/setup-pythonisn't used in the publishing job (ossf/scorecard#2196) - slsa-verifier doesn't work for artifacts with multiple provenances in a single attestation file (slsa-framework/slsa-verifier#454)
- slsa-github-generator can't append new attestations to existing provenance files (slsa-framework/slsa-github-generator#1565)