SLSA

Overview

SLSA is a set of incrementally adoptable guidelines for supply chain security, established by industry consensus. The specification set by SLSA is useful for both software producers and consumers: producers can follow SLSA’s guidelines to make their software supply chain more secure, and consumers can use SLSA to make decisions about whether to trust a software package.

SUSE® Rancher Prime Cluster API meets SLSA Level 3 requirements.

Requirement	Required at SLSA L3	Met by SUSE® Rancher Prime Cluster API
Choose an appropriate build platform	Yes	Yes
Follow a consistent build process	Yes	Yes
Distribute provenance	Yes	Yes

Requirement

Required at SLSA L3

Met by SUSE® Rancher Prime Cluster API

Choose an appropriate build platform

Yes

Follow a consistent build process

Yes

Distribute provenance

Yes

Build Platform

The SUSE® Rancher Prime Cluster API project uses Git for source code management.
All the SUSE® Rancher Prime Cluster API maintainers are required to have two-factor authentication enabled, to sign and sign off on all their contributions.
The SUSE® Rancher Prime Cluster API project uses GitHub Actions and GitHub Runners for building all its release artifacts.
The build and release process runs in isolation on an ephemeral environment provided by GitHub-hosted runners.

Build Process

The build and release process is defined in code and is kept under version control.
The GitHub Workflows make use of GitHub Actions pinned to certain versions and are kept up-to-date using GitHub Dependabot.
All changes to the build and release process are done via Pull Requests that must be approved by at least one SUSE® Rancher Prime Cluster API maintainer.
The release process can only be kicked off by a SUSE® Rancher Prime Cluster API maintainer by pushing a Git tag in the semver format.

Provenance

The SUSE® Rancher Prime Cluster API project uses the official SLSA GitHub Generator project for provenance generation and distribution.
The provenance for the release artifacts published to GitHub Container Registry and to Rancher Prime Registry is generated using the generator_container_slsa3 GitHub Workflow provided by the SLSA GitHub Generator project.
The provenance identifies the SUSE® Rancher Prime Cluster API container images using their digest in SHA-256 format.
The provenance is signed by Sigstore Cosign using the GitHub OIDC identity, and the public key to verify the provenance is stored in the public Rekor transparency log.
The release process and the provenance generation are run in isolation on an ephemeral environment provided by GitHub-hosted runners.
The provenance of the SUSE® Rancher Prime Cluster API container images can be verified using the official SLSA verifier tool.
The provenance generation workflows run on ephemeral and isolated virtual machines, which are fully managed by GitHub.
The provenance signing secrets are ephemeral and are generated through Sigstore’s keyless signing procedure.
The SLSA GitHub Generator runs on separate virtual machines than the build and release process, so that the SUSE® Rancher Prime Cluster API build scripts don’t have access to the signing secrets.

Isolation

The release process and the provenance generation are run in isolation on an ephemeral environment provided by GitHub-hosted runners.
The provenance generation is decoupled from the build process; the SLSA GitHub Generator runs on separate virtual machines fully managed by GitHub.
The release process can’t access the provenance signing key because the provenance generator runs in isolation on separate GitHub-hosted runners.