Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release: add release v1.3.1 and v1.2.1 #288

Merged
merged 3 commits into from
Oct 3, 2022
Merged

release: add release v1.3.1 and v1.2.1 #288

merged 3 commits into from
Oct 3, 2022

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Oct 2, 2022

Signed-off-by: Asra Ali asraa@google.com

Waiting on #287 for release/v1.1 branch.

To verify these hashes, do the following for https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.3.1 and https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.2.1

  1. Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.3.1 (or the other)
  2. Clone the slsa-verifier repo, compile and verify the provenance:
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$  go run ./cli/slsa-verifier verify-artifact ~/Downloads/slsa-verifier-linux-amd64 --provenance-path ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v1.3.1 --source-branch release/v1.3
  1. Get the hash.
    Either:
cat slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'

or

sha256sum slsa-verifier-linux-amd64

@asraa
release: add release v1.3.1 and v1.2.1
7203c5f 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
update readme
99bb472 
Signed-off-by: Asra Ali <asraa@google.com>
@ianlewis
Copy link
Member

ianlewis commented Oct 3, 2022

Verified v1.3.1

ianlewis@ianlewis at 00:34:14+0000 git:(main $%=) (default)
slsa-verifier$ git rev-parse HEAD
0ad6136f60e469fe4669ca270a0648cd6141a7c8

ianlewis@ianlewis at 00:39:25+0000 git:(main $%=) (default)
slsa-verifier$ cat ../slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'
065714d01ba36c81fb11aa7031597a77b08491eb341bac8efc3e452f5d5ed4bd

ianlewis@ianlewis at 00:39:47+0000 exited 130 git:(main $%=) (default)
slsa-verifier$ sha256sum ../slsa-verifier-linux-amd64
065714d01ba36c81fb11aa7031597a77b08491eb341bac8efc3e452f5d5ed4bd  ../slsa-verifier-linux-amd64

ianlewis@ianlewis at 00:34:30+0000 git:(main $%=) (default)
slsa-verifier$ go run ./cli/slsa-verifier verify-artifact ../slsa-verifier-linux-amd64 --provenance-path ../slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v1.3.1 --source-branch release/v1.3
Verified signature against tlog entry index 4398238 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77ad182c25d7f09503758e06050bc91f56dacf5e1bb757b1942fa98a005fa0acee2
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.0 at commit 49ab4e7e6957161de15fdc79d128d72812cfefb9
PASSED: Verified SLSA provenance

Verified v1.2.1

ianlewis@ianlewis at 00:36:19+0000 git:(main $%=) (default)
slsa-verifier$ git rev-parse HEAD
0ad6136f60e469fe4669ca270a0648cd6141a7c8

ianlewis@ianlewis at 00:37:41+0000 (default)
tmp$ cat ../slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'
edd1d430429fa3dfaf249d7ec805891a4b7332ea1d17d23f9d20bc6f4aeebe04

ianlewis@ianlewis at 00:37:43+0000 (default)
tmp$ sha256sum ../slsa-verifier-linux-amd64
edd1d430429fa3dfaf249d7ec805891a4b7332ea1d17d23f9d20bc6f4aeebe04  ../slsa-verifier-linux-amd64

ianlewis@ianlewis at 00:36:28+0000 git:(main $%=) (default)
slsa-verifier$ go run ./cli/slsa-verifier verify-artifact ../slsa-verifier-linux-amd64 --provenance-path ../slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v1.2.1 --source-branch release/v1.2
Verified signature against tlog entry index 4398225 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a8deb959909007f9e83fb3db7b10cea01e59781a5f2da1c5a021379b9e6d98774
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.1.1 at commit f85886e6c4c58059b6061750f6c43c7dbcf698ae
PASSED: Verified SLSA provenance

ianlewis
ianlewis approved these changes Oct 3, 2022
View reviewed changes
Copy link
Member

@ianlewis ianlewis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@asraa asraa merged commit e269a00 into slsa-framework:main Oct 3, 2022
@asraa asraa mentioned this pull request Oct 3, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ianlewis ianlewis ianlewis approved these changes

@laurentsimon laurentsimon Awaiting requested review from laurentsimon

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@asraa @ianlewis