This is a working draft of v1.1. This document may be modified, replaced, or discarded at any time.

For the latest release candidate or approved version, please use the version selector.

Version 1.0 is available! See the newest documentation.

What's new in SLSA v1.1

SLSA v1.1 is a minor release of SLSA v1 which brings clarifications and additional content without changing the meaning of the specification. This document describes the major changes in v1.1 relative to the prior release, v1.0.

Summary of changes

  • Clarify that attestation format schema are informative and the specification texts (SLSA and in-toto attestation) are the canonical source of definitions.
  • Add procedure for verifying VSAs.
  • Add verifier metadata to VSA format.
  • It is now recommended that the digest field of ResourceDescriptor is set in a Verification Summary Attestation’s (VSA) policy object.
  • Further refine the threat model.