-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: adding SLSA verification steps for cpp-server-sdk
- Loading branch information
1 parent
2a5ee2e
commit 2c588a9
Showing
1 changed file
with
23 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -59,6 +59,29 @@ yarn && yarn build && cd packages/sdk/cloudflare | |
| yarn test | ||
| ``` | ||
|
|
||
| ## Validating SDK packages with the SLSA framework | ||
|
|
||
| LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) to help developers make their supply chain more secure by ensuring the authenticity of our published SDK packages. As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds to NPM for distribution alongside our packages. | ||
|
|
||
| The SLSA framework specifies some [recommendations for verifying build artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) in their documentation. For npm packages that are published with provenance, npm already [validates the authenticity of the package using Sigstore](https://docs.npmjs.com/generating-provenance-statements#about-npm-provenance). In addition to npm's validation, we recommend the following steps: | ||
| - Ensure that the @launchdarkly/react-native-client-sdk version you're downloading was published with npm-verified provenance | ||
| - Check the [versions tab in npm](https://www.npmjs.com/package/@launchdarkly/cloudflare-server-sdk?activeTab=versions) and ensure the version you're installing has a green checkmark | ||
| - Use the provenance published in npm to verify the authenticity of the build: | ||
| - Check the source commit for: | ||
| - Source repository is a LaunchDarkly-owned repository | ||
| - Commit author is a LaunchDarkly entity | ||
| - (Optional) Code changes in the commit are trustworthy | ||
| - Check the build file and build summary for: | ||
| - Build is triggered by a LaunchDarkly-owned repository | ||
| - Build is executed by a LaunchDarkly-owned Github Actions workflow | ||
| - Build steps are trustworthy | ||
| - Check the public ledger's transparency log entry for: | ||
| - Provenance is signed by Sigstore to guarantee authenticity | ||
| - OIDC token used to publish the provenance (Github Workflow + Source Repository fields) are LaunchDarkly-owned | ||
|
|
||
| The recommendations above may be adjusted to fit your organization's needs and supply chain security policies. For additional questions, please contact [[email protected]](mailto:[email protected]). | ||
|
|
||
|
|
||
| ## About LaunchDarkly | ||
|
|
||
| - LaunchDarkly is a continuous delivery platform that provides feature flags as a service and allows developers to iterate quickly and safely. We allow you to easily flag your features and manage them from the LaunchDarkly dashboard. With LaunchDarkly, you can: | ||
|
|
||