Skip to content

'Verifying Artifact Integrity' conflates provenance sourceDigest with a digest of the served artifact #69

Description

@liady

"Verification Procedures > Verifying Artifact Integrity" (specification/ai-catalog.md) instructs:

  1. Fetch the artifact content from the entry's url.
  2. Compute the digest using the algorithm specified in the sourceDigest field.
  3. Compare the computed digest to the declared value. Reject the artifact if they differ.

But sourceDigest is defined on the Provenance Link object as "the digest of the source", and the spec's own examples use a GitHub repository as sourceId with relation: "publishedFrom". Hashing the artifact document served at the entry's url can never match a digest of a source repository. The same conflation appears in the trust model: "Layer 1 - Trust Manifest with Provenance" says the consumer can hash the fetched artifact "and compare it to the digest recorded in the provenance link".

As written, a conformant verifier following this procedure would reject every artifact whose provenance points at its build source rather than at the artifact bytes themselves.

Possible directions:

  • Rewrite the procedure to apply only when the provenance link's source is the artifact content (e.g. sourceId referencing the artifact document or an OCI blob of it), and say explicitly that source-repository digests are not comparable to the served artifact.
  • Or introduce a dedicated artifact-content digest (an entry-level digest binding the entry to its artifact bytes). ADR 0009 already lists "evaluate whether entry-level digests (binding the entry to its artifact content) should be added" as an open action item, so this may be the cleaner fix.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions