Provenance & SLSA, Explained

A signature tells you a package wasn't changed after signing. It doesn't tell you the package matches its public source, or that the build wasn't tampered with, which is exactly the gap SolarWinds exploited.

Provenance is verifiable metadata about how and where an artifact was built: which source commit, which builder, what steps. SLSA (Supply-chain Levels for Software Artifacts) is a framework of increasing guarantees about that build integrity.

What provenance lets you check

Why it matters

In practice