SLSA
Overview​
SLSA is a set of incrementally adoptable guidelines for supply chain security, established by industry consensus. The specification set by SLSA is useful for both software producers and consumers: producers can follow SLSA’s guidelines to make their software supply chain more secure, and consumers can use SLSA to make decisions about whether to trust a software package.
Rancher Turtles meets SLSA Level 3 requirements.
| Requirement | Required at SLSA L3 | Met by Rancher Turtles |
|---|---|---|
| Choose an appropriate build platform | Yes | Yes |
| Follow a consistent build process | Yes | Yes |
| Distribute provenance | Yes | Yes |
Build Platform​
- The Rancher Turtles project uses Git for source code management.
- All the Rancher Turtles maintainers are required to have two-factor authentication enabled, to sign and sign off on all their contributions.
- The Rancher Turtles project uses GitHub Actions and GitHub Runners for building all its release artifacts.
- The build and release process runs in isolation on an ephemeral environment provided by GitHub-hosted runners.
Build Process​
- The build and release process is defined in code and is kept under version control.
- The GitHub Workflows make use of GitHub Actions pinned to certain versions and are kept up-to-date using GitHub Dependabot.
- All changes to the build and release process are done via Pull Requests that must be approved by at least one Rancher Turtles maintainer.
- The release process can only be kicked off by a Rancher Turtles maintainer by pushing a Git tag in the semver format.
Provenance​
- The Rancher Turtles project uses the official SLSA GitHub Generator project for provenance generation and distribution.
- The provenance for the release artifacts published to GitHub Container Registry and to Rancher Prime Registry is generated using the generator_container_slsa3 GitHub Workflow provided by the SLSA GitHub Generator project.
- The provenance identifies the Rancher Turtles container images using their digest in SHA-256 format.
- The provenance is signed by Sigstore Cosign using the GitHub OIDC identity, and the public key to verify the provenance is stored in the public Rekor transparency log.
- The release process and the provenance generation are run in isolation on an ephemeral environment provided by GitHub-hosted runners.
- The provenance of the Rancher Turtles container images can be verified using the official SLSA verifier tool.
- The provenance generation workflows run on ephemeral and isolated virtual machines, which are fully managed by GitHub.
- The provenance signing secrets are ephemeral and are generated through Sigstore’s keyless signing procedure.
- The SLSA GitHub Generator runs on separate virtual machines than the build and release process, so that the Rancher Turtles build scripts don’t have access to the signing secrets.
Isolation​
- The release process and the provenance generation are run in isolation on an ephemeral environment provided by GitHub-hosted runners.
- The provenance generation is decoupled from the build process; the SLSA GitHub Generator runs on separate virtual machines fully managed by GitHub.
- The release process can't access the provenance signing key because the provenance generator runs in isolation on separate GitHub-hosted runners.