Skip to main content
Version: 0.9

SLSA

Overview​

SLSA is a set of incrementally adoptable guidelines for supply chain security, established by industry consensus. The specification set by SLSA is useful for both software producers and consumers: producers can follow SLSA’s guidelines to make their software supply chain more secure, and consumers can use SLSA to make decisions about whether to trust a software package.

Rancher Turtles meets SLSA Level 3 requirements.

RequirementRequired at SLSA L3Met by Rancher Turtles
Choose an appropriate build platformYesYes
Follow a consistent build processYesYes
Distribute provenanceYesYes

Build Platform​

  • The Rancher Turtles project uses Git for source code management.
  • All the Rancher Turtles maintainers are required to have two-factor authentication enabled, to sign and sign off on all their contributions.
  • The Rancher Turtles project uses GitHub Actions and GitHub Runners for building all its release artifacts.
  • The build and release process runs in isolation on an ephemeral environment provided by GitHub-hosted runners.

Build Process​

  • The build and release process is defined in code and is kept under version control.
  • The GitHub Workflows make use of GitHub Actions pinned to certain versions and are kept up-to-date using GitHub Dependabot.
  • All changes to the build and release process are done via Pull Requests that must be approved by at least one Rancher Turtles maintainer.
  • The release process can only be kicked off by a Rancher Turtles maintainer by pushing a Git tag in the semver format.

Provenance​

  • The Rancher Turtles project uses the official SLSA GitHub Generator project for provenance generation and distribution.
  • The provenance for the release artifacts published to GitHub Container Registry and to Rancher Prime Registry is generated using the generator_container_slsa3 GitHub Workflow provided by the SLSA GitHub Generator project.
  • The provenance identifies the Rancher Turtles container images using their digest in SHA-256 format.
  • The provenance is signed by Sigstore Cosign using the GitHub OIDC identity, and the public key to verify the provenance is stored in the public Rekor transparency log.
  • The release process and the provenance generation are run in isolation on an ephemeral environment provided by GitHub-hosted runners.
  • The provenance of the Rancher Turtles container images can be verified using the official SLSA verifier tool.
  • The provenance generation workflows run on ephemeral and isolated virtual machines, which are fully managed by GitHub.
  • The provenance signing secrets are ephemeral and are generated through Sigstore’s keyless signing procedure.
  • The SLSA GitHub Generator runs on separate virtual machines than the build and release process, so that the Rancher Turtles build scripts don’t have access to the signing secrets.

Isolation​

  • The release process and the provenance generation are run in isolation on an ephemeral environment provided by GitHub-hosted runners.
  • The provenance generation is decoupled from the build process; the SLSA GitHub Generator runs on separate virtual machines fully managed by GitHub.
  • The release process can't access the provenance signing key because the provenance generator runs in isolation on separate GitHub-hosted runners.