Update verifier paths, bridge ID migration#256
Merged
puerco merged 3 commits intoslsa-framework:mainfrom Jul 30, 2025
Merged
Conversation
This commit fixes the broken tag verification by updating the paths and URIs for the verification IDs to those of the new repos. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>
This commits adds a compatibility hack to support both the old and new actions repository signer identities while we migrate to the new source-actions repos. This commit is inteded to be reverted once all repos have signed their VSAs using the new identity. For more see: slsa-framework#255 Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit fixes the broken tag verification by updating the paths and URIs for the verification IDs to those of the new repos.
This fixes the verification and retrieval of commits using the latest release of sourcetool but would break backwards compatibility with attestations signed with older releases unless...
This commit includes a compatibility hack in e4e1f80 to allow verifying attestations with both the old (this repo) and new (slsa-framework/source-actions) signer identities. This commit should be reverted once all repos are signing with the new workflow.
See this issue for more info: #255
Before updating the local_attest this PR needs to go in to support the identity change.
/cc @TomHennen ^^