Clarify that non-cryptographic digests may use custom value encoding#517
Conversation
| - `{"sha256": "abcd", "sha512": "1234"}` matches `{"sha256": "abcd"}` | ||
| - `{"sha256": "abcd"}` does not match `{"sha256": "fedb", "sha512": "abcd"}` | ||
| - `{"somecoolhash": "abcd"}` uses a non-predefined algorithm | ||
| - `{"arn": "arn:aws:ec2:region:123:image/ami-123abcd"}` for a non-cryptographic VM image digest using an Amazon Resource Name (ARN) |
There was a problem hiding this comment.
In this specific case, shouldn't the arn go into the uri field? (since arns are urns which are uris).
There was a problem hiding this comment.
In ordinary ResourceDescriptors yes, but because the RD of the Subject field has some extra restrictions that require a digest to be set, that's the case we're covering here. I can add a note explaining this here, if you think that would help.
There was a problem hiding this comment.
Also note that "Each element MUST have digest set." and "IMPORTANT: Subject artifacts are matched purely by digest, regardless of content type. If this matters to you, please comment on #28" link
And this reference in the SLSA source spec that shows using a URI in the field: https://slsa.dev/spec/v1.2/source-requirements#source-verification-summary-attestation:~:text=For%20example%3A%20svn_revision_id%3A%20svn%2Bhttps%3A//svn.myproject.org/svn/MyProject/trunk%402019
There was a problem hiding this comment.
Sounds good. I was looking at it from the point of view of something trying to locate attestations applicable to the arn. If I was starting with the arn, I would locate statements based on the arn in the uri, and then match the artifacts based on the contents of the digests.
Signed-off-by: Marcela Melara <marcela.melara@intel.com>
828c682 to
f032e7a
Compare
Signed-off-by: Marcela Melara <marcela.melara@intel.com>
This PR adds a short clarification in the DigestSet spec stating that non-cryptographic digests may use custom value encoding.
Fixes #499