What's new

This document describes the major changes brought by SLSA v1.1 relative to the prior release, v1.0.

Summary of changes

  • Clarify that attestation format schema are informative and the specification texts (SLSA and in-toto attestation) are the canonical source of definitions.
  • Add procedure for verifying VSAs.
  • Add verifier metadata to VSA format.
  • It is now recommended that the digest field of ResourceDescriptor is set in a Verification Summary Attestation’s (VSA) policy object.
  • Further refine the threat model.