From d23c97947e359ba35a745e249f3713b87df04c39 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Fri, 25 Aug 2023 12:09:40 -0700 Subject: [PATCH] chore: Update doc for v2.4.0 (#699) How to LGTM this PR (I'll work on a proper doc for this in https://github.com/slsa-framework/slsa-github-generator/issues/112): 1. Clone repo ``` $ git clone git@github.com:slsa-framework/slsa-verifier.git $ cd slsa-verifier $ bash verify-release.sh v2.4.0 # NOTE: use the file in _this_ PR. # Note down the path to the temporary dir use. The bash script will print its first line as "INFO: using dir: /tmp/tmp.VaYi6HfbmL" ``` 2. Run command below and compare to SHA256SUM.md in this PR ``` $sha256sum /tmp/tmp.VaYi6HfbmL/* ``` The output hash should be the hash I'm updating to in this PR. If they match, LGTM. If they don't, someone tampered with the released binary and don't LGTM --------- Signed-off-by: laurentsimon --- README.md | 6 +++--- RELEASE.md | 1 + SHA256SUM.md | 9 +++++++++ actions/installer/README.md | 2 +- verify-release.sh | 40 +++++++++++++++++++++++++++++++++++++ 5 files changed, 54 insertions(+), 4 deletions(-) create mode 100644 verify-release.sh diff --git a/README.md b/README.md index a02720e56..e863286d4 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,7 @@ You have two options to install the verifier. If you want to install the verifier, you can run the following command: ```bash -$ go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.3.0 +$ go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.4.0 $ slsa-verifier ``` @@ -143,7 +143,7 @@ $ go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier ```bash $ git clone git@github.com:slsa-framework/slsa-verifier.git -$ cd slsa-verifier && git checkout v2.3.0 +$ cd slsa-verifier && git checkout v2.4.0 $ go run ./cli/slsa-verifier ``` @@ -153,7 +153,7 @@ If you need to install the verifier to run in a GitHub workflow, use the install ### Download the binary -Download the binary from the latest release at [https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.3.0](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.3.0) +Download the binary from the latest release at [https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0) Download the [SHA256SUM.md](https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md). diff --git a/RELEASE.md b/RELEASE.md index f9e4f6d2a..bb11f2200 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -83,6 +83,7 @@ Follow the steps: $ git clone git@github.com:slsa-framework/slsa-verifier.git $ cd slsa-verifier # $ (Optional: git checkout tags/v1.1.1: you may need to change the command below) +# You can run `bash verify-release.sh vX.Y.Z`: it will download all artifacts and verify them. $ go run ./cli/slsa-verifier verify-artifact ~/Downloads/slsa-verifier-linux-amd64 --provenance-path ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag vX.Y.Z ``` diff --git a/SHA256SUM.md b/SHA256SUM.md index 10421bbb4..c07563b36 100644 --- a/SHA256SUM.md +++ b/SHA256SUM.md @@ -1,3 +1,12 @@ +### [v2.4.0](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0) + +9e67318937b936014b6127affc14bc45f1fb10d9899b0105877778e8179b3029 slsa-verifier-darwin-amd64 +b55009be65f8f6dae4399522e4ab5685a5cfe0b72dca3134f12ba144b8860607 slsa-verifier-darwin-arm64 +9883e4c7fd0fead95815de1533db62d1ae19daf9d333b359e192fc65ffb401b2 slsa-verifier-linux-amd64 +bb025462acd9e93da32694e3ed82bfa57cb487a28c989a083caf2a3569d3cfbe slsa-verifier-linux-arm64 +a8ea35a4abf450f3828d42cf0b9be3628692508184bec8610a472a7bf4afc843 slsa-verifier-windows-amd64.exe +b14cd8228fecabe53e3676ec2d94b53d7aee11f6f5a8dabbe07e840143d48e8d slsa-verifier-windows-arm64.exe + ### [v2.3.0](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.3.0) 44ae609925c2dddafa45b2f98da62b40abcf739bbbe6f9dc792f3aba6e236e9c slsa-verifier-darwin-amd64 diff --git a/actions/installer/README.md b/actions/installer/README.md index 40bac4f34..b88b2fc0c 100644 --- a/actions/installer/README.md +++ b/actions/installer/README.md @@ -11,7 +11,7 @@ For more information about SLSA in general, see [https://slsa.dev](https://slsa. To install a specific version of `slsa-verifier`, use: ```yaml -uses: slsa-framework/slsa-verifier/actions/installer@v2.3.0 +uses: slsa-framework/slsa-verifier/actions/installer@v2.4.0 ``` See https://github.com/slsa-framework/slsa-verifier/releases for the list of available `slsa-verifier` releases. Only versions greater or equal to 2.0.1 are supported. diff --git a/verify-release.sh b/verify-release.sh new file mode 100644 index 000000000..67d17db47 --- /dev/null +++ b/verify-release.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +set -euo pipefail + +if [ "$#" -ne 1 ]; then + echo "Usage: $0 tag" + exit 1 +fi + +# Verify GH_TOKEN is set. +if [[ -z "${GH_TOKEN:-}" ]]; then + echo "GH_TOKEN is unset" + exit 1 +fi + +# Set the gh CLI. +if [[ -z "${GH:-}" ]]; then + GH="gh" +fi + +dir=$(mktemp -d) +tag="$1" + +mkdir -p "${dir}" +rm -rf "${dir:?}/"* 2>/dev/null || true + +echo "INFO: using dir: ${dir}" +echo + +# Download artifacts and provenance. +cd "${dir}" +"${GH}" release -R slsa-framework/slsa-verifier download "${tag}" +cd - + +for file in "${dir}"/*; do + if [[ "${file}" == *".intoto.jsonl" ]]; then + continue + fi + go run ./cli/slsa-verifier verify-artifact "${file}" --provenance-path "${file}".intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag "${tag}" +done