This is a working draft of v1.1.

For the latest release candidate or approved version, please use the version selector.

Version 1.0 is available now! See the newest documentation here.

What's new in SLSA v1.1

SLSA v1.1 is a minor release of SLSA v1 which adds additional content without changing the meaning of the specification. This document describes the major changes in v1.1 relative to the prior release, v1.0.

Summary of changes

  • Clarify that attestation format schema are informative and the specification texts (SLSA and in-toto attestation) are the canonical source of definitions.
  • Add procedure for verifying VSAs.
  • Add verifier metadata to VSA format.
  • It is now recommended that the digest field of ResourceDescriptor is set in a Verification Summary Attestation’s (VSA) policy object.
  • Further refine the threat model.
‹ Overview About SLSA ›