Generate SLSA Verification Summary Attestation (VSA)

Problem to solve

The CI/CD component implemented in CI/CD component for provenance generation with ... (#514814 - closed) generates a provenance attestation, and in a typical workflow that attestation is verified by consumers.

However, there are scenarios where producers can't access to the provenance attestation. In that case producers should deliver a Verification Summary Attestation (VSA) of the provenance.

This allows software consumers to make a decision about the validity of an artifact without needing to have access to all of the attestations about the artifact or all of its transitive dependencies. They can use it to delegate complex policy decisions to some trusted party and then simply trust that party’s decision regarding the artifact.

Proposal

Introduce a CI/CD component that verifies the provenance attestation and generates a Verification Summary Attestation (VSA).

The verification CI/CD component is compatible and easy to integrate with the CI/CD component that generates the provenance attestation, implemented in #514814 (closed).

Success Criteria

A merged functional CI/CD component that verifies the signed provenance statement, and tested in a sample pipeline.

Edited May 05, 2025 by Nate Rosandich