Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release: add notes for release v1.2.0 #171

Merged
merged 1 commit into from
Jul 25, 2022
Merged

release: add notes for release v1.2.0 #171

merged 1 commit into from
Jul 25, 2022

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Jul 25, 2022

Signed-off-by: Asra Ali [email protected]

This sets the expected sha256 of the v1.2.0 slsa-verifier released binary.

How to LGTM this PR (I'll work on a proper doc for this in slsa-framework/slsa-github-generator#112):

  1. Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.2.0
  2. Clone the slsa-verifier repo, compile and verify the provenance:
$ git clone [email protected]:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ (Optional: git checkout tags/v1.2.0)
$ go run . -provenance ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl -artifact-path ~/Downloads/slsa-verifier-linux-amd64 -source github.com/slsa-framework/slsa-verifier -tag v1.2.0
  1. Get the hash.
    Either:
cat slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'

or

sha256sum slsa-verifier-linux-amd64

The output hash should be the hash I'm updating to in this PR. If they match, LGTM. If they don't, someone tampered with the released binary and don't LGTM

Also sets missing v1.0.2

  1. Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.0.2
  2. Clone the slsa-verifier repo, compile and verify the provenance:
$ git clone [email protected]:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ (Optional: git checkout tags/v1.0.2)
$ go run . -provenance ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl -artifact-path ~/Downloads/slsa-verifier-linux-amd64 -source github.com/slsa-framework/slsa-verifier -tag v1.0.2 -branch release/v1.0
  1. Get the hash.
    Either:
cat slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'

or

sha256sum slsa-verifier-linux-amd64

@asraa asraa requested a review from laurentsimon July 25, 2022 18:37
@laurentsimon
Copy link
Contributor

laurentsimon commented Jul 25, 2022
edited
Loading

v1.2.0 verifies

go run . -provenance slsa-verifier-linux-amd64.intoto.jsonl -artifact-path slsa-verifier-linux-amd64 -source github.com/slsa-framework/slsa-verifier -tag v1.2.0 -print-provenance | jq -r '.subject[0].digest.sha256'
Verified signature against tlog entry index 3027785 at URL: https://rekor.sigstore.dev/api/v1/log/entries/0cdff5b6a013379f9c1c5c6c598ad73c60de5acd969ba70ea2e874098b6e789f
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.1.1 at commit fb9aeaf6384fd588e56ad90978fe025b3fd44849
PASSED: Verified SLSA provenance
37db23392c7918bb4e243cdb097ed5f9d14b9b965dc1905b25bc2d1c0c91bf3d

and

sha256sum slsa-verifier-linux-amd64
37db23392c7918bb4e243cdb097ed5f9d14b9b965dc1905b25bc2d1c0c91bf3d

@laurentsimon
Copy link
Contributor

v1.0.2 verifies

go run . -provenance slsa-verifier-linux-amd64.intoto.jsonl -artifact-path slsa-verifier-linux-amd64 -source github.com/slsa-framework/slsa-verifier -tag v1.0.2 -print-provenance -branch release/v1.0 | jq -r '.subject[0].digest.sha256'
Getting rekor entry error error creating intoto entry: no signing certificate found in intoto envelope, trying Redis search index to find entries by subject digest
Verified signature against tlog entry index 2924121 at URL: https://rekor.sigstore.dev/api/v1/log/entries/18b480ffea3e702fc4a0eaed5194361f3fd6989377d9d883c8ec971f1bad8454
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v0.0.1 at commit ae29694378b726825f8ff792161df57a7eff8698
PASSED: Verified SLSA provenance
bcefa5173ad84fbb10d3aeae95c1087f6a61e51836b932c60be85c78d570c403

sha256sum slsa-verifier-linux-amd64
bcefa5173ad84fbb10d3aeae95c1087f6a61e51836b932c60be85c78d570c403  slsa-verifier-linux-amd64

laurentsimon
laurentsimon approved these changes Jul 25, 2022
View reviewed changes
Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@laurentsimon laurentsimon merged commit ad90b50 into slsa-framework:main Jul 25, 2022
laurentsimon pushed a commit to laurentsimon/slsa-verifier that referenced this pull request Aug 3, 2022
@asraa
release: add notes for release v1.2.0 (slsa-framework#171)
e0ef4b0 
Signed-off-by: Asra Ali <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurentsimon laurentsimon laurentsimon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@asraa @laurentsimon