slsa-framework · laurentsimon · Aug 25, 2023 · Aug 25, 2023 · Aug 25, 2023 · Aug 25, 2023
@@ -97,7 +97,7 @@ You have two options to install the verifier.
 If you want to install the verifier, you can run the following command:
 
 ```bash
-$ go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.3.0
+$ go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.4.0
 $ slsa-verifier <options>
 ```
 
@@ -143,7 +143,7 @@ $ go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier
 
 ```bash
 $ git clone git@github.com:slsa-framework/slsa-verifier.git
-$ cd slsa-verifier && git checkout v2.3.0
+$ cd slsa-verifier && git checkout v2.4.0
 $ go run ./cli/slsa-verifier <options>
 ```
 
@@ -153,7 +153,7 @@ If you need to install the verifier to run in a GitHub workflow, use the install
 
 ### Download the binary
 
-Download the binary from the latest release at [https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.3.0](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.3.0)
+Download the binary from the latest release at [https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0)
 
 Download the [SHA256SUM.md](https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md).
 

@@ -83,6 +83,7 @@ Follow the steps:
 $ git clone git@github.com:slsa-framework/slsa-verifier.git
 $ cd slsa-verifier
 # $ (Optional: git checkout tags/v1.1.1: you may need to change the command below)
+# You can run `bash verify-release.sh vX.Y.Z`: it will download all artifacts and verify them.
 $ go run ./cli/slsa-verifier verify-artifact ~/Downloads/slsa-verifier-linux-amd64 --provenance-path ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag vX.Y.Z
 ```
 

@@ -1,3 +1,12 @@
+### [v2.4.0](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0)
+
+9e67318937b936014b6127affc14bc45f1fb10d9899b0105877778e8179b3029  slsa-verifier-darwin-amd64
+b55009be65f8f6dae4399522e4ab5685a5cfe0b72dca3134f12ba144b8860607  slsa-verifier-darwin-arm64
+9883e4c7fd0fead95815de1533db62d1ae19daf9d333b359e192fc65ffb401b2  slsa-verifier-linux-amd64
+bb025462acd9e93da32694e3ed82bfa57cb487a28c989a083caf2a3569d3cfbe  slsa-verifier-linux-arm64
+a8ea35a4abf450f3828d42cf0b9be3628692508184bec8610a472a7bf4afc843  slsa-verifier-windows-amd64.exe
+b14cd8228fecabe53e3676ec2d94b53d7aee11f6f5a8dabbe07e840143d48e8d  slsa-verifier-windows-arm64.exe
+
 ### [v2.3.0](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.3.0)
 
 44ae609925c2dddafa45b2f98da62b40abcf739bbbe6f9dc792f3aba6e236e9c slsa-verifier-darwin-amd64

@@ -11,7 +11,7 @@ For more information about SLSA in general, see [https://slsa.dev](https://slsa.
 To install a specific version of `slsa-verifier`, use:
 
 ```yaml
-uses: slsa-framework/slsa-verifier/actions/installer@v2.3.0
+uses: slsa-framework/slsa-verifier/actions/installer@v2.4.0
 ```
 
 See https://github.com/slsa-framework/slsa-verifier/releases for the list of available `slsa-verifier` releases. Only versions greater or equal to 2.0.1 are supported.

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+set -euo pipefail
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 tag"
+    exit 1
+fi
+
+# Verify GH_TOKEN is set.
+if [[ -z "${GH_TOKEN:-}" ]]; then
+    echo "GH_TOKEN is unset"
+    exit 1
+fi
+
+# Set the gh CLI.
+if [[ -z "${GH:-}" ]]; then
+    GH="gh"
+fi
+
+dir=$(mktemp -d)
+tag="$1"
+
+mkdir -p "${dir}"
+rm -rf "${dir:?}/"* 2>/dev/null || true
+
+echo "INFO: using dir: ${dir}"
+echo
+
+# Download artifacts and provenance.
+cd "${dir}"
+"${GH}" release -R slsa-framework/slsa-verifier download "${tag}"
+cd -
+
+for file in "${dir}"/*; do 
+    if [[ "${file}" == *".intoto.jsonl" ]]; then
+        continue
+    fi
+    go run ./cli/slsa-verifier verify-artifact "${file}" --provenance-path "${file}".intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag "${tag}"
+done