"Verification Procedures > Verifying Artifact Integrity" (specification/ai-catalog.md) instructs:
- Fetch the artifact content from the entry's
url.
- Compute the digest using the algorithm specified in the
sourceDigest field.
- Compare the computed digest to the declared value. Reject the artifact if they differ.
But sourceDigest is defined on the Provenance Link object as "the digest of the source", and the spec's own examples use a GitHub repository as sourceId with relation: "publishedFrom". Hashing the artifact document served at the entry's url can never match a digest of a source repository. The same conflation appears in the trust model: "Layer 1 - Trust Manifest with Provenance" says the consumer can hash the fetched artifact "and compare it to the digest recorded in the provenance link".
As written, a conformant verifier following this procedure would reject every artifact whose provenance points at its build source rather than at the artifact bytes themselves.
Possible directions:
- Rewrite the procedure to apply only when the provenance link's source is the artifact content (e.g.
sourceId referencing the artifact document or an OCI blob of it), and say explicitly that source-repository digests are not comparable to the served artifact.
- Or introduce a dedicated artifact-content digest (an entry-level digest binding the entry to its artifact bytes). ADR 0009 already lists "evaluate whether entry-level digests (binding the entry to its artifact content) should be added" as an open action item, so this may be the cleaner fix.
"Verification Procedures > Verifying Artifact Integrity" (
specification/ai-catalog.md) instructs:url.sourceDigestfield.But
sourceDigestis defined on the Provenance Link object as "the digest of the source", and the spec's own examples use a GitHub repository assourceIdwithrelation: "publishedFrom". Hashing the artifact document served at the entry'surlcan never match a digest of a source repository. The same conflation appears in the trust model: "Layer 1 - Trust Manifest with Provenance" says the consumer can hash the fetched artifact "and compare it to the digest recorded in the provenance link".As written, a conformant verifier following this procedure would reject every artifact whose provenance points at its build source rather than at the artifact bytes themselves.
Possible directions:
sourceIdreferencing the artifact document or an OCI blob of it), and say explicitly that source-repository digests are not comparable to the served artifact.