From 0d802d0a7297932b5d25da668a1d4b9a0c3eef4c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Fri, 29 Jul 2022 20:59:44 +0000 Subject: [PATCH] update Signed-off-by: laurentsimon --- .github/workflows/build.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6554bd70c09..ad08b34b333 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -122,7 +122,7 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 with: base64-subjects: "${{ needs.build.outputs.hashes }}" - upload-assets: true # Upload the generated provenance to release assets for releases for tags. + upload-assets: true # Upload the generated provenance to release assets for tags. buildkit-edge: runs-on: ubuntu-latest diff --git a/README.md b/README.md index bd8177e1275..8388947fda5 100644 --- a/README.md +++ b/README.md @@ -91,7 +91,7 @@ Docker Linux packages also include Docker Buildx when installed using the > instead. For Linux, we recommend that you follow the [instructions specific for your distribution](#linux-packages). You can also download the latest binary from the [GitHub releases page](https://github.com/docker/buildx/releases/latest). -We generate [SLSA3 provenance](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a relase binary: +We generate [SLSA3 provenance](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a release binary: 1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation). 2. Download the provenance file `attestation.intoto.jsonl` from the [GitHub releases page](https://github.com/docker/buildx/releases/latest). 3. Run the verifier: