From dd738c522800fad7ead0633ccabf458f4587326f Mon Sep 17 00:00:00 2001 From: Mark Lodato Date: Tue, 31 Jan 2023 08:31:25 -0500 Subject: [PATCH] Provenance v1: more fixes Signed-off-by: Mark Lodato --- docs/github-actions-workflow/v0.1/index.md | 2 +- docs/provenance/v1/index.md | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/github-actions-workflow/v0.1/index.md b/docs/github-actions-workflow/v0.1/index.md index 7e4afac31..50be97039 100644 --- a/docs/github-actions-workflow/v0.1/index.md +++ b/docs/github-actions-workflow/v0.1/index.md @@ -164,7 +164,7 @@ repository renames and to detect when an old name is reused for a new entity. ### Resolved dependencies -The `resolvedDependencies` SHOULD contain an entry identifying the resolved the +The `resolvedDependencies` SHOULD contain an entry identifying the resolved git commit ID corresponding to `externalParameters.workflow`. The dependency's `uri` MUST be in [SPDX Download Location] format, i.e. `"git+" + workflow.uri + "@" + workflow.ref`. See [Example]. diff --git a/docs/provenance/v1/index.md b/docs/provenance/v1/index.md index 4a0084d1c..3d4fe9e46 100644 --- a/docs/provenance/v1/index.md +++ b/docs/provenance/v1/index.md @@ -92,6 +92,11 @@ This predicate follows the in-toto attestation [parsing rules]. Summary: - Optional fields MAY be unset or null, and SHOULD be treated equivalently. Both are equivalent to empty for _object_ or _array_ values. +> **TODO:** The [GitHub Actions] spec says that consumers MUST **reject** +> unrecognized external parameters, whereas here we say that they must +> **ignore** unrecognized fields (including parameters). We need to figure out +> which is correct and then resolve the conflict. + ## Schema _NOTE: This section describes the fields within `predicate`. For a description @@ -477,7 +482,9 @@ The timestamp of when the build completed. [Verification]: #verification -> **TODO:** Describe how clients are expected to verify the provenance. +> **TODO:** Describe how clients are expected to verify the provenance. This +> includes the idea that a verification tool can check external parameters +> without knowing the specific buildType. ## Index of build types @@ -603,7 +610,6 @@ Renamed to "slsa.dev/provenance". Initial version, named "in-toto.io/Provenance" [Statement]: https://github.com/in-toto/attestation/blob/main/spec/README.md#statement -[DigestSet]: https://github.com/in-toto/attestation/blob/main/spec/field_types.md#DigestSet [in-toto attestation]: https://github.com/in-toto/attestation [parsing rules]: https://github.com/in-toto/attestation/blob/main/spec/README.md#parsing-rules [purl]: https://github.com/package-url/purl-spec