Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: update docs for release v2.0.1 #403

Merged
merged 3 commits into from
Dec 14, 2022
Merged

docs: update docs for release v2.0.1 #403

merged 3 commits into from
Dec 14, 2022

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Dec 14, 2022

This PR

  • Updates the SHA256SUM.md for the releaes v2.0.1
  • Updates the README.md with the v2 module path and adds a known issue for 2.0.1 panic.

To verify hash

  1. Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.0.1
  2. Clone the slsa-verifier repo, compile and verify the provenance:
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ (Optional: git checkout tags/v2.0.1)
$ go run ./cli/slsa-verifier verify-artifact ~/Downloads/slsa-verifier-linux-amd64 --provenance-path ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v2.0.1
  1. Get the hash.
    Either:
cat slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'

or

sha256sum slsa-verifier-linux-amd64

Signed-off-by: Asra Ali asraa@google.com

@asraa
docs: update docs for release v2.0.1
1473708 
Signed-off-by: Asra Ali <asraa@google.com>
@laurentsimon
Copy link
Contributor 

$ go run ./cli/slsa-verifier verify-artifact slsa-verifier-linux-amd64 --provenance-path slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v2.0.1

Verified signature against tlog entry index 9037754 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a92fa27d40d1bb6932df92832fe2c5bf9d021497df0ceb40852dfc53eb99f93c6
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.2 at commit a43888265e1f6aae98c924538298944f2721dcf0
PASSED: Verified SLSA provenance
$ cat slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'
ad4b408c43504d439827998c27ab4be1c44ff467ccb39b78da01568f8542b10e

$ sha256sum slsa-verifier-linux-amd64
ad4b408c43504d439827998c27ab4be1c44ff467ccb39b78da01568f8542b10e  slsa-verifier-linux-amd64

All matches the ad4b408c43504d439827998c27ab4be1c44ff467ccb39b78da01568f8542b10e added to the SHA256SUM.md

laurentsimon
laurentsimon approved these changes Dec 14, 2022
View reviewed changes
Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@laurentsimon laurentsimon enabled auto-merge (squash) December 14, 2022 00:12
@laurentsimon
Copy link
Contributor

laurentsimon commented Dec 14, 2022
edited
Loading

Something seems off with the pre-submits: they are not running

@laurentsimon laurentsimon enabled auto-merge (squash) December 14, 2022 00:21
@laurentsimon
Copy link
Contributor

laurentsimon commented Dec 14, 2022
edited
Loading

I have updated the pre-submits in the branch protection settings to be like #398, but it does not seem to help :/ Maybe need to restart the runs?

@asraa
Copy link
Contributor Author

asraa commented Dec 14, 2022

I have updated the pre-submits in the branch protection settings to be like #398, but it does not seem to help :/ Maybe need to restart the runs?

Weird, let me try pushing an empty commit.

@asraa
empty
2746fe5 
Signed-off-by: Asra Ali <asraa@google.com>
@laurentsimon
Copy link
Contributor

Fyi, #398 will fix the check-dist pre-submit. Waiting for final ack from Ian to merge.

@laurentsimon laurentsimon merged commit 0bd7a54 into slsa-framework:main Dec 14, 2022
ramonpetgrave64 pushed a commit to ramonpetgrave64/slsa-verifier that referenced this pull request Apr 18, 2024
@laurentsimon
📖 Update doc (slsa-framework#403)
bfc3207 
* Update doc

* update

* update

* update

* update

* update

* update

* update

* comments
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurentsimon laurentsimon laurentsimon approved these changes

@ianlewis ianlewis Awaiting requested review from ianlewis

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@asraa @laurentsimon