Attaining SLSA Level 2

Checklist for attaining SLSA v1.0 Level 2:

SLSA Level 1 checklist
Build with a hosted build service (as opposed to building on the developer’s machine).
Generate and sign a Provenance Document (a signed SLSA Level 1 document).
Verify downstream the authenticity of the Provenance Document.

Generating a signed Provenance Document

Call the following from your build script after the build artifact is complete:

# Create signed SLSA Provenance
valint slsa [target] -o attest --context-type [jenkins github circleci azure gitlab travis bitbucket] 
 -P [SCRIBE_TOKEN]

Where [Target] is the build artifact name. You can find signing configuration instructions here.

Secure key management

Store keys and access tokens in the build platform or preferably in a secret management system. Make sure to expose the keys only at the provenance generation step.

Verifying the Provenance Document

To verify make the following call:

# Create signed SLSA Provenance
valint verify [target] -i attest-slsa --email [build-platform-identity]

Generating a signed Provenance Document​

Secure key management​​

Verifying the Provenance Document​

Generating a signed Provenance Document

Secure key management

Verifying the Provenance Document