[feature] Document that signed provenance replaces signing artifacts #1880
Labels
type:documentation
Improvements or additions to documentation
Comments
gabibguti
added
status:triage
ianlewis
added
type:documentation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
It is not clear through the SLSA 3 Go Builder documentation if it signs both the provenance and the artifacts. As I understand, SLSA 3 Go Builder signs the provenance and does not sign the artifacts. That's because a signed provenance replaces the need of signed artifacts since the hash of the artifacts is included in the provenance subjects. There may be other reasons to sign the artifacts but not to "prove" the integrity of the artifacts as it's already done by the signed provenance.
Describe the solution you'd like
Document that SLSA 3 Go Builder signs the provenance and does not sign the artifacts, and that there's no need to sign the artifacts since the hash of the artifacts is included in the provenance subjects.
Describe alternatives you've considered
None.
Additional context
None.
The text was updated successfully, but these errors were encountered: