SLSA
Overview
SLSA is a set of incrementally adoptable guidelines for supply chain security, established by industry consensus. The specification set by SLSA is useful for both software producers and consumers: producers can follow SLSA’s guidelines to make their software supply chain more secure, and consumers can use SLSA to make decisions about whether to trust a software package.
Rancher Turtles meets SLSA Level 3 requirements.
Requirement | Required at SLSA L3 | Met by Rancher Turtles |
---|---|---|
Choose an appropriate build platform |
Yes |
Yes |
Follow a consistent build process |
Yes |
Yes |
Distribute provenance |
Yes |
Yes |
Build Platform
-
The Rancher Turtles project uses Git for source code management.
-
All the Rancher Turtles maintainers are required to have two-factor authentication enabled, to sign and sign off on all their contributions.
-
The Rancher Turtles project uses GitHub Actions and GitHub Runners for building all its release artifacts.
-
The build and release process runs in isolation on an ephemeral environment provided by GitHub-hosted runners.
Build Process
-
The build and release process is defined in code and is kept under version control.
-
The GitHub Workflows make use of GitHub Actions pinned to certain versions and are kept up-to-date using GitHub Dependabot.
-
All changes to the build and release process are done via Pull Requests that must be approved by at least one Rancher Turtles maintainer.
-
The release process can only be kicked off by a Rancher Turtles maintainer by pushing a Git tag in the semver format.
Provenance
-
The Rancher Turtles project uses the official SLSA GitHub Generator project for provenance generation and distribution.
-
The provenance for the release artifacts published to GitHub Container Registry and to Rancher Prime Registry is generated using the generator_container_slsa3 GitHub Workflow provided by the SLSA GitHub Generator project.
-
The provenance identifies the Rancher Turtles container images using their digest in SHA-256 format.
-
The provenance is signed by Sigstore Cosign using the GitHub OIDC identity, and the public key to verify the provenance is stored in the public Rekor transparency log.
-
The release process and the provenance generation are run in isolation on an ephemeral environment provided by GitHub-hosted runners.
-
The provenance of the Rancher Turtles container images can be verified using the official SLSA verifier tool.
-
The provenance generation workflows run on ephemeral and isolated virtual machines, which are fully managed by GitHub.
-
The provenance signing secrets are ephemeral and are generated through Sigstore’s keyless signing procedure.
-
The SLSA GitHub Generator runs on separate virtual machines than the build and release process, so that the Rancher Turtles build scripts don’t have access to the signing secrets.
Isolation
-
The release process and the provenance generation are run in isolation on an ephemeral environment provided by GitHub-hosted runners.
-
The provenance generation is decoupled from the build process; the SLSA GitHub Generator runs on separate virtual machines fully managed by GitHub.
-
The release process can’t access the provenance signing key because the provenance generator runs in isolation on separate GitHub-hosted runners.