Summary

The SLSA framework defines a gradually increasing set of security measures designed to ensure the integrity of software artifacts throughout the supply chain. Once an organization reaches SLSA Build Level 2, they’ve implemented a substantial set of best practices to help secure their software supply chain.

Summary

Sigstore and SLSA (Supply chain levels for Software Artifacts) are two initiatives designed to ehance the security of the software supply chain.

The Sigstore project provides infrastructure for keyless signing, verifying, and protecting software. By using cryptographic signatures, Sigstore enables developers and users to verify the integrity an dorigin of software artifacts, thus preventing insertion of malicious code during the sofware development and distribution process. In addition to the tooling the project sponsors graciously host a public good instance with transparency log to enable the broader community to adopt signing as part of their workflow.

Supply-chain Levels for Software Artifacts (SLSA) is a security framework that helps ensure the security and integrity of your software supply chain. In particular it defines a build provenance attestation to describe how an artifact of set of artifacts was produced. The build provenance contains information such as the repository, commit, and workflow where the artifact was produced which you may not want published to a public log.

Intended Outcome

Artifact Attestations enables you to realize all of the benefits of Sigstore and SLSA while keeping your information private.

How will it work?

Customers will be able to:

• Use first party GitHub Actions to generate and sign build provenance attestations for any artifact.
• Store those attestations securely in the GitHub attestation store.
• Download and verify attestations using the GitHub Cli.