Supply-chain attestations per package ecosystem
Definition
Supply-chain attestations per package ecosystem refer to the documentation and verification processes that ensure the integrity and authenticity of software packages within a specific ecosystem, such as npm, PyPI, or Maven. These attestations typically include metadata about the package’s origin, build process, and distribution, allowing consumers to verify that the package has not been tampered with and is from a trusted source. This practice is crucial for maintaining security and trust in software supply chains.
Secure Settings Example
# Example of a secure attestation configuration for a package in a CI/CD pipeline
attestations:
- type: provenance
builder: "https://github.com/organization/repo"
materials:
- uri: "git+https://github.com/organization/repo@commit"
digest:
sha256: "abc123..."
subjects:
- name: "package-name"
digest:
sha256: "def456..."
signatures:
- keyid: "RSA_KEY_ID"
sig: "base64-encoded-signature"
Insecure Settings Example
# Example of an insecure attestation configuration lacking proper verification
attestations:
- type: provenance
builder: "https://github.com/organization/repo"
materials:
- uri: "git+https://github.com/organization/repo@commit"
# Missing digest verification
subjects:
- name: "package-name"
# Missing digest verification
# Missing signatures for attestation