Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(getsops/sops): SLSA provenance #32051

Merged
merged 2 commits into from
Feb 12, 2025
Merged

feat(getsops/sops): SLSA provenance #32051

merged 2 commits into from
Feb 12, 2025

Conversation

scop
Copy link
Contributor

@scop scop commented Feb 12, 2025

https://github.com/getsops/sops/releases

Check List

@suzuki-shunsuke suzuki-shunsuke added this to the v4.312.0 milestone Feb 12, 2025
@suzuki-shunsuke
Copy link
Member

Thank you!

@suzuki-shunsuke
Copy link
Member

https://github.com/getsops/sops/releases/tag/v3.8.0

In addition to SLSA Provenance, Cosign was also supported.

Verify checksums file signature
The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

Verify artifact provenance
The SLSA provenance of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an in-toto link metadata file named sops-v3.8.0.intoto.jsonl. To verify the provenance of an artifact, you can utilize the slsa-verifier tool:

@suzuki-shunsuke suzuki-shunsuke merged commit e97b552 into aquaproj:main Feb 12, 2025
17 checks passed
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Feb 13, 2025
@tmeijn
build(deps): update aquaproj/aqua-registry to v4.312.0
67b04c2 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [aquaproj/aqua-registry](https://github.com/aquaproj/aqua-registry) | minor | `v4.310.0` -> `v4.312.0` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>aquaproj/aqua-registry (aquaproj/aqua-registry)</summary>

### [`v4.312.0`](https://github.com/aquaproj/aqua-registry/releases/tag/v4.312.0)

[Compare Source](aquaproj/aqua-registry@v4.311.0...v4.312.0)

[Issues](https://github.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.312.0) | [Merge Requests](https://github.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.312.0) | aquaproj/aqua-registry@v4.311.0...v4.312.0

#### 🎉 New Packages

[#&#8203;32011](aquaproj/aqua-registry#32011) [sacloud/usacloud](https://github.com/sacloud/usacloud): CLI client for the Sakura Cloud [@&#8203;ponkio-o](https://github.com/ponkio-o)

#### Fixes

[#&#8203;32048](aquaproj/aqua-registry#32048) stefanprodan/timoni: SLSA provenance [@&#8203;scop](https://github.com/scop)
[#&#8203;32051](aquaproj/aqua-registry#32051) getsops/sops: SLSA provenance [@&#8203;scop](https://github.com/scop)
[#&#8203;32052](aquaproj/aqua-registry#32052) ossf/scorecard: SLSA provenance [@&#8203;scop](https://github.com/scop)

### [`v4.311.0`](https://github.com/aquaproj/aqua-registry/releases/tag/v4.311.0)

[Compare Source](aquaproj/aqua-registry@v4.310.0...v4.311.0)

[Issues](https://github.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.311.0) | [Merge Requests](https://github.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.311.0) | aquaproj/aqua-registry@v4.310.0...v4.311.0

#### 🎉 New Packages

[#&#8203;31981](aquaproj/aqua-registry#31981) [viaduct-ai/kustomize-sops](https://github.com/viaduct-ai/kustomize-sops) - KSOPS - A Flexible Kustomize Plugin for SOPS Encrypted Resources [@&#8203;honahuku](https://github.com/honahuku)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNjUuMSIsInVwZGF0ZWRJblZlciI6IjM5LjE2Ni4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
@scop scop deleted the feat/sops-slsa branch February 14, 2025 20:31
@scop
Copy link
Contributor Author

scop commented Feb 14, 2025

AFAIU SLSA provenance contains everything that the cosign blob signatures have (and some more). Because of that, and because SLSA verification is built in in aqua as opposed to cosign which is a separate install, is there a general benefit of adding cosign if SLSA provenance is available?

I can understand that having both could be nice to have for completeness, as well as if for some reason the user has disabled SLSA verification but has cosign enabled. But I think those are kind of corner cases.

@suzuki-shunsuke suzuki-shunsuke mentioned this pull request Feb 14, 2025
Closed
@suzuki-shunsuke
Copy link
Member

Good point.
This pr is already closed and this should be discussed in an issue, so I created an issue.

SLSA verification is built in in aqua as opposed to cosign which is a separate install

This isn't correct.
aqua installs a binary slsa-verifier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v4.312.0
Development

Successfully merging this pull request may close these issues.
2 participants
@scop @suzuki-shunsuke