Unverified Commit 5f253fb9 authored by Tom Hennen's avatar Tom Hennen Committed by GitHub
Browse files

Allow a service other than the 'build service' to generate provenance

This is just an initial thought.  We might only want this adjustment at L2 but still make the build service generate the provenance at L3+.

On the other hand, maybe as long as the builder _reports_ the data and it's confident in that data, it would be fine for some other service to generate the provenance?

That would allow for a 'trusted service' to translate one provenance format to another (in addition to gathering the data from API calls).
parent 48797760
......@@ -294,14 +294,14 @@ all the other requirements.
The provenance's authenticity and integrity can be verified by the consumer.
This SHOULD be through a digital signature from a private key accessible only to
the build service.
the service generating the provenance.
<td> <td><td><td>
<tr id="service-generated">
<td>Service Generated
<td>Service Reported
The provenance was populated by the build service, not by user-provided tooling
The provenance was populated by data reported by the build service, not by user-provided tooling
running on top of the service.
<td> <td><td><td>
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment