[!CAUTION] This feature is still experimental.
BCR now accepts build attestations in order to increase security for all BCR users. This feature is still experimental and thus optional, but eventually we expect all modules that natively build with Bazel to also generate build attestation.
BCR presubmit verifies attestations if an incoming PR for a new module (version) contains an attestations.json file next to source.json and MODULE.bazel. Its format looks like this:
{
"mediaType": "application/vnd.build.bazel.registry.attestation+json;version=1.0.0",
"attestations" {
"source.json": {
"url": "https://github.com/some-org/some-repo/releases/download/v1.0.0/source.json.intoto.jsonl",
"integrity": "sha256-NylZt7S5lfmT0VjMvzXwafpjIqoaWDkgaml5VrmdW/A=",
},
"MODULE.bazel": {
"url": "https://github.com/some-org/some-repo/releases/download/v1.0.0/optionalPrefix-MODULE.bazel.intoto.jsonl",
"integrity": "sha256-NylZt7S5lfmT0VjMvzXwafpjIqoaWDkgaml5VrmdW/A=",
},
"project.tar.gz": {
"url": "https://github.com/some-org/some-repo/releases/download/v1.0.0/project.tar.gz.intoto.jsonl",
"integrity": "sha256-NylZt7S5lfmT0VjMvzXwafpjIqoaWDkgaml5VrmdW/A=",
},
}
}
Rules:
attestations must contain exactly three elements, with keys being source.json, MODULE.bazel and the basename of the source archive.metadata.json.*.intoto.jsonl attestations referenced in this file must live in the same directory.Attestations are checked with slsa-verifier during presubmit. Once the PR has been merged, MODULE.bazel.intoto.json and source.json.intoto.jsonl will be mirrored to https://registry.bazel.build/.
You can verify attestations locally by running bcr_validation.py.