Package provenance
Definition
Package provenance refers to the origin and history of a software package, including its source code, build process, and distribution path. It ensures that the package is authentic, has not been tampered with, and is sourced from a trusted origin. This concept is crucial for maintaining software supply chain security, as it helps verify that the software has not been altered maliciously before deployment.
Secure Settings Example
# Example of a secure package provenance policy in a CI/CD pipeline
steps:
- name: Verify Package Provenance
run: |
curl -sSL https://example.com/verify-provenance.sh | bash
env:
PACKAGE_SIGNATURE: ${{ secrets.PACKAGE_SIGNATURE }}
TRUSTED_KEYS_URL: https://example.com/trusted-keys.gpg
Insecure Settings Example
# Example of an insecure package provenance setup
steps:
- name: Install Package
run: |
curl -sSL https://example.com/install-package.sh | bash
# No verification of package signature or source authenticity