Open Source Manager
Attestation
Supply chain integrity verification through attestations
Attestation
Attestations provide cryptographic proof of how software was built, ensuring supply chain integrity and preventing tampering.
What is Attestation?
Software attestation provides signed statements about:
- Where was this built?
- What source code was used?
- How was it built?
- Who triggered the build?
Supported Attestation Types
SLSA Provenance
Supply chain Levels for Software Artifacts (SLSA):
| Level | Description |
|---|---|
| SLSA 1 | Documentation of build process |
| SLSA 2 | Hosted build, signed provenance |
| SLSA 3 | Hardened build platform |
| SLSA 4 | Two-party review, hermetic builds |
Gold packages require minimum SLSA Level 2.
Sigstore
Sigstore-based attestations provide:
- Keyless signing with OIDC
- Transparency log (Rekor)
- Certificate verification
- Timestamp authority
In-toto
In-toto framework attestations for:
- Source code verification
- Build step documentation
- Multi-party verification
- Custom policies
Verification Process
When you install a Gold package:
- Fetch Attestation - Download associated attestations
- Verify Signature - Check cryptographic signatures
- Validate Claims - Ensure build claims match
- Check Transparency - Verify in public logs
- Confirm Identity - Validate builder identity
Viewing Attestations
For any Gold package:
- Open the package in Gold Directory
- Navigate to Attestations tab
- View:
- Attestation type
- Signer identity
- Build information
- Verification status
CLI Verification
Verify attestations manually:
# Install verification tool
npm install -g @safeguard-sh/verify
# Verify a package
safeguard verify lodash@4.17.21Missing Attestations
Packages without attestations:
- Cannot achieve Gold status
- Show warning in Enterprise ESCM
- Are flagged in risk assessments
Creating Attestations
For your own packages, use:
- GitHub Actions with SLSA generator
- Sigstore cosign
- In-toto tooling