Provide in-toto badges
lukpueh opened this issue · comments
Projects that are in-toto secured should be able to include an in-toto badge on there website/github page. We still have to discuss what exactly that means. This is related to providing a dynamic and custom list of guarantees.
See shields.io for example badges.
I'd like to see something basic if it has in-toto metadata that passes
client verification. Ideally, clicking the badge would display the supply
chain in much the same way the layout tool will.
…On Fri, Aug 18, 2017 at 6:17 PM, lukpueh ***@***.***> wrote:
Projects that are *in-toto secured* should be able to include an in-toto
badge on there website/github page. We still have to discuss what exactly
that means. This is related to providing a dynamic and custom list of
guarantees <#3>.
See shields.io for example badges.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#7>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA0XD-mVX5tVUeQ2CkUsaAAJB0dpYGkiks5sZg19gaJpZM4O8GVo>
.
In order to provide badges that display the supply chain + verification results, we would need access to a project's final products, i.e. target files, signed layout, signed link files and project owner public keys. To me this feels a lot like a separate service/platform.
If I understand correctly this is also closely related to the in-toto bundling issue.