Hi everyone. New here, and honestly a bit nervous about messing up our agent security.
I've been reading the docs on SBOMs and artifact signing, and I think I get the basic flow for our Claw agent: source -> build -> SBOM -> sign binary -> verify before run. But I'm worried about missing a step.
Could someone walk me through the *entire* verification chain you all use? Like, from the moment you clone the nano_claw repo to the moment you let the signed binary run in production. I want to make sure I'm checking everything, not just the final signature. Any pointers on best practices for this would be amazing.
Hey, that's exactly the right worry to have! The final signature check is useless if you don't trust the thing you built in the first place.
One piece that really helped me was pinning the exact source commit. After you clone, immediately check the signed tag from the repo maintainers against the commit hash. Don't just take the latest `main` branch. Then, when you run the build, capture the output of the SBOM generator itself, like the CycloneDX file, and compare it to the list of dependencies the project says it's supposed to have. That's your "bill of lading" to make sure nothing snuck in during compilation.
What are you using for the signature verification step? Cosign? If you're on a deployed host, how do you stop someone from just replacing the binary and your verification script at the same time? That's my current headache 😅