From 33d12f346e0508d7838284ab423b79f501117e05 Mon Sep 17 00:00:00 2001 From: AbstractionFactory <179820029+abstractionfactory@users.noreply.github.com> Date: Tue, 4 Feb 2025 15:59:57 +0100 Subject: [PATCH] Module attestations Signed-off-by: AbstractionFactory <179820029+abstractionfactory@users.noreply.github.com> Co-authored-by: Martin Atkins --- rfc/20241206-oci-registries/6-modules.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rfc/20241206-oci-registries/6-modules.md b/rfc/20241206-oci-registries/6-modules.md index 982ea978f1..18c51a9538 100644 --- a/rfc/20241206-oci-registries/6-modules.md +++ b/rfc/20241206-oci-registries/6-modules.md @@ -56,9 +56,10 @@ oras push \ terraform-your-module.zip:archive/zip ``` -We also intend to provide a tool similar to how [providers work](5-providers.md) that will allow for publishing and mirroring modules. +We also intend to provide a tool similar to how [providers work](5-providers.md) that will allow for publishing and mirroring modules. Similar to providers, the mirroring tool will attach detected SBOM and attestation artifacts to the modules in OCI. Specifically, the mirroring tool will detect: -⚠ TODO: what do we do with SBOM and signature artifacts? +- `*.spdx.json` as `application/spdx+json` containing an SPDX SBOM file. +- `*.intoto.jsonl` as `application/vnd.in-toto+json` containing an [in-toto attestation framework](https://github.com/in-toto/attestation)/[SLSA Provenance](https://slsa.dev/spec/v1.0/provenance) file. ---