Practice supply chain attestation vocabulary: build attestations, in-toto framework, cosign image signing, signature verification before deployment, and SLSA level requirements.
0 / 5 completed
1 / 5
'The build attestation proves the artifact was built by the pipeline.' What is a build attestation?
A build attestation is a machine-readable, cryptographically signed claim about how an artifact was produced. It states: this artifact (identified by its hash) was built from this source commit, by this build system, at this time, using these steps. Attestations enable consumers to verify the artifact's origin without trusting the artifact alone.
2 / 5
What is the in-toto framework used for in software supply chain security?
In-toto (Latin: 'as a whole') is a framework for securing the software supply chain end-to-end. It defines a 'layout' specifying what steps must occur (clone, build, test, package), who is authorised to perform each step, and what artifacts each step consumes and produces. Link metadata (attestations for each step) is verified against the layout.
3 / 5
'Cosign signs the container image.' What does cosign do?
Cosign (part of the Sigstore project) is a tool for signing and verifying container images. The signing process generates a cryptographic signature using the builder's private key and stores it in the OCI registry alongside the image. Consumers can verify the signature using the corresponding public key before pulling or deploying the image.
4 / 5
'The signature is verified before deployment.' What does this check prevent?
Verifying the signature before deployment ensures the container image has not been tampered with between build and deploy, and that it was produced by an authorised pipeline or person. This prevents attackers who gain registry access from substituting malicious images, and ensures the deployed artifact matches what was built and tested.
5 / 5
'The SLSA level 3 requirement includes attestation.' What is SLSA and what does level 3 guarantee?
SLSA (pronounced 'salsa') is a framework from Google for incrementally improving supply chain security. Level 3 requires: the build runs on a hardened, dedicated CI/CD platform; non-forgeable build provenance is generated; and the platform prevents builders from injecting untrusted inputs. Attestations are a core SLSA requirement for levels 2 and above.