LaunchDarkly uses the SLSA framework (Supply-chain Levels for Software Artifacts) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published packages.
As part of SLSA requirements for level 3 compliance, LaunchDarkly publishes provenance about our package builds using GitHub's generic SLSA3 provenance generator for distribution alongside our packages.
These attestations are available for download from the GitHub release page for the release version under Assets > ldcli_1.0.0_multiple_provenance.intoto.jsonl.
To verify SLSA provenance attestations, we recommend using slsa-verifier. Example usage for verifying packages for Linux is included below:
# Set the version of the PACKAGE to verify
PACKAGE_VERSION=1.0.0
# Ensure provenance file is downloaded along with packages for your OS
# Run slsa-verifier to verify provenance against package artifacts
$ slsa-verifier verify-artifact \
--provenance-path ldcli_${PACKAGE_VERSION}_multiple_provenance.intoto.jsonl \
--source-uri github.com/launchdarkly/ldcli \
ldcli_${PACKAGE_VERSION}_*.tar.gz
Below is a sample of expected output:
Verified signature against tlog entry index 84971628 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a9053fbc27f7e695f7bcf705e69e3596a48e4759b9f9429725d4fec327c9d09bf
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.10.0" at commit 50b064100a9a142a6da6539e520deef1df6a4ddf
Verifying artifact ldcli_0.6.0_darwin_amd64.tar.gz: PASSED
Verified signature against tlog entry index 84971628 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a9053fbc27f7e695f7bcf705e69e3596a48e4759b9f9429725d4fec327c9d09bf
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.10.0" at commit 50b064100a9a142a6da6539e520deef1df6a4ddf
Verifying artifact ldcli_0.6.0_darwin_arm64.tar.gz: PASSED
Verified signature against tlog entry index 84971628 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a9053fbc27f7e695f7bcf705e69e3596a48e4759b9f9429725d4fec327c9d09bf
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.10.0" at commit 50b064100a9a142a6da6539e520deef1df6a4ddf
Verifying artifact ldcli_0.6.0_linux_386.tar.gz: PASSED
Verified signature against tlog entry index 84971628 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a9053fbc27f7e695f7bcf705e69e3596a48e4759b9f9429725d4fec327c9d09bf
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.10.0" at commit 50b064100a9a142a6da6539e520deef1df6a4ddf
Verifying artifact ldcli_0.6.0_linux_amd64.tar.gz: PASSED
Verified signature against tlog entry index 84971628 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a9053fbc27f7e695f7bcf705e69e3596a48e4759b9f9429725d4fec327c9d09bf
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.10.0" at commit 50b064100a9a142a6da6539e520deef1df6a4ddf
Verifying artifact ldcli_0.6.0_linux_arm64.tar.gz: PASSED
PASSED: Verified SLSA provenance
Alternatively, to verify the provenance manually, the SLSA framework specifies recommendations for verifying build artifacts in their documentation.
Note: These instructions do not apply when building our CLI from source.