Unverified Commit 1f2d87c7 authored by Tom Hennen's avatar Tom Hennen Committed by GitHub
Browse files

Update requirements.md

parent 447b5291
...@@ -298,11 +298,25 @@ the service generating the provenance. ...@@ -298,11 +298,25 @@ the service generating the provenance.
<td> <td><td><td> <td> <td><td><td>
<tr id="service-generated"> <tr id="service-generated">
<td>Build Service Reported <td>Service Generated
<td> <td>
The provenance was populated with data reported by the build service, not by user-provided tooling The data in the provenance MUST be obtained from the build service (either because
running within the service. the generator _is_ the build service or because the provenance generator reads the
data directly from the build service).
Regular users of the service MUST NOT be
able to inject or alter the contents, except as noted below.
The following provenance fields MAY be generated by the user-controlled build
steps:
* The output artifact hash from [Identifies Artifact](#identifies-artifact).
* Reasoning: This only allows a "bad" build to falsely claim that it
produced a "good" artifact. This is not a security problem because the
consumer MUST accept only "good" builds and reject "bad" builds.
* The "reproducible" boolean and justification from
[Reproducible](#reproducible).
<td> <td><td><td> <td> <td><td><td>
<tr id="non-falsifiable"> <tr id="non-falsifiable">
...@@ -311,6 +325,8 @@ running within the service. ...@@ -311,6 +325,8 @@ running within the service.
Provenance cannot be falsified by the build service's users. Provenance cannot be falsified by the build service's users.
NOTE: This requirement is a stricter version of [Service Generated](#service-generated).
* The provenance signing key MUST be stored in a secure key management system * The provenance signing key MUST be stored in a secure key management system
accessible only to the build service account. accessible only to the build service account.
* The provenance signing key MUST NOT be accessible to the environment running * The provenance signing key MUST NOT be accessible to the environment running
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment