Slsa 3 (Sigstore ?) supply chain compliance plans?

Is there anything already in the works for supporting slsa 3 compliance?
eg. Achieving SLSA 3 Compliance with GitHub Actions and Sigstore for Go modules | The GitHub Blog

Maybe slsa 3 falls under the sigstore umbrella (not sure if Pulp is already on that bandwagon.

I at least hadn’t seen this before, thanks for the link! Looks like it’s something we definitely want to discuss.

I’ve heard some general interest for Pulp to have sigstore integration, and I’m +1 to that. It’s unclear to me if sigstore has one set of APIs to perform asset signing with or if the are content type specific. For example, here’s a sigstore python client that performs signing and verification but only for Python assets. Given those tools are type specific, and the link to SLSA 3 article from OP is for Go specifically, I think it’s type specifically. If that’s the case I think one of the plugins should try doing an integration.

1 Like

Pulp Container Registry has plans to integrate with sigstore cosign. We’re waiting on the cosign integration with containers/image library which in turn is used by skopeo and podman. Our registry already has signing and verification integration with the latter ones.


One more item…

I can’t quite put my finger on it but I have an intuition that aqua is a good complement for pulp (multi-format, platform-agnostic, registry-based, extensible)

I’ve been talking about pulp in kubernetes circles (those folks don’t get out much) and the feedback is always positive.