Attestation files provided by the user in the command line are not checked for their verified status. Currently, Macaron relies on the information provided by third party services such as GitHub, deps.dev, npm, etc. for verifying provenances while retrieving them, which cannot be applied for local instances. Unfortunately, the APIs available on GitHub and Sigstore Rekor do not provide a simple method of verifying provenance. Therefore, to properly support local attestation, Macaron must have its own method of verifying them.
Verification should support the following build types in provenances:
Attestation files provided by the user in the command line are not checked for their verified status. Currently, Macaron relies on the information provided by third party services such as GitHub, deps.dev, npm, etc. for verifying provenances while retrieving them, which cannot be applied for local instances. Unfortunately, the APIs available on GitHub and Sigstore Rekor do not provide a simple method of verifying provenance. Therefore, to properly support local attestation, Macaron must have its own method of verifying them.
Verification should support the following build types in provenances: