Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add the checksum of v2.0.0 #374

Merged
merged 3 commits into from
Dec 2, 2022
Merged

docs: add the checksum of v2.0.0 #374

merged 3 commits into from
Dec 2, 2022

Conversation

suzuki-shunsuke
Copy link
Contributor

@suzuki-shunsuke suzuki-shunsuke commented Dec 2, 2022

$ sha256sum slsa-verifier-linux-amd64 
8d2e93a9ea0126d5daec22f2778b42fea79192605d16955f0c91847c3a6a8921  slsa-verifier-linux-amd64

Signed-off-by: Shunsuke Suzuki suzuki.shunsuke.1989@gmail.com

Signed-off-by: Shunsuke Suzuki <suzuki.shunsuke.1989@gmail.com>
@suzuki-shunsuke suzuki-shunsuke marked this pull request as ready for review December 2, 2022 01:31
@ianlewis ianlewis enabled auto-merge (squash) December 2, 2022 02:56
@ianlewis ianlewis enabled auto-merge (squash) December 2, 2022 02:56
@laurentsimon
Copy link
Contributor

laurentsimon commented Dec 2, 2022

@ianlewis Can you add the relevant command used to verify the sha256 with provenance?
Like in #347

@ianlewis
Copy link
Member

ianlewis commented Dec 2, 2022

@ianlewis Can you add the relevant command used to verify the sha256 with provenance? Like in #347

Yes. Verified via both the binary and provenance subject.

$ sha256sum slsa-verifier-linux-amd64                                                                                                     
8d2e93a9ea0126d5daec22f2778b42fea79192605d16955f0c91847c3a6a8921  slsa-verifier-linux-amd64
$ jq -r '.payload' < slsa-verifier-linux-amd64.intoto.jsonl | base64 -d | jq '.subject[0]'
{
  "name": "slsa-verifier-linux-amd64",
  "digest": {
    "sha256": "8d2e93a9ea0126d5daec22f2778b42fea79192605d16955f0c91847c3a6a8921"
  }
}

@ianlewis
Copy link
Member

ianlewis commented Dec 2, 2022

Provenance for v2.0.0 also verified by the verifier at HEAD.

slsa-verifier$ go run ./cli/slsa-verifier verify-artifact slsa-verifier-linux-amd64 \
    --source-branch main \
    --source-tag v2.0.0 \
    --provenance-path slsa-verifier-linux-amd64.intoto.jsonl \
    --source-uri github.com/slsa-framework/slsa-verifier
Verified signature against tlog entry index 8254206 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a0d0655be7998e4a81dff692095c218075cd984f5a78509d24122a40ff1c16145
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.2 at commit 128324f48837d274fdb69870704477a8d2645b8d
PASSED: Verified SLSA provenance

It looks as though @asraa didn't use a release/v2.0.0 branch but tagged a commit on main.

@ianlewis ianlewis merged commit 798db79 into slsa-framework:main Dec 2, 2022
@suzuki-shunsuke suzuki-shunsuke deleted the add-v200-checksum branch December 2, 2022 03:23
ramonpetgrave64 pushed a commit to ramonpetgrave64/slsa-verifier that referenced this pull request Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants