Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Set the sha256 for slsa-verifier's v0.0.1 #113

Merged
merged 2 commits into from
May 26, 2022
Merged

✨ Set the sha256 for slsa-verifier's v0.0.1 #113

merged 2 commits into from
May 26, 2022

Conversation

laurentsimon
Copy link
Collaborator

@laurentsimon laurentsimon commented May 26, 2022
edited
Loading

This sets the expected sha256 of the v0.0.1 slsa-verifier released binary.

How to LGTM this PR (I'll work on a proper doc for this in #112):

  1. Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v0.0.1
  2. Clone the slsa-verifier repo, compile and verify the provenance:
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$ (Optional: git checkout tags/v1.0.0)
$ go run . -artifact-path slsa-verifier-linux-amd64 -provenance slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag v0.0.1
  1. Get the hash.
    Either:
cat slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'

or

sha256sum slsa-verifier-linux-amd64

The output hash should be the hash I'm updating to in this PR. If they match, LGTM. If they don't, someone tampered with the released binary and don't LGTM

@laurentsimon laurentsimon marked this pull request as draft May 26, 2022 16:42
@laurentsimon laurentsimon marked this pull request as ready for review May 26, 2022 16:49
asraa
asraa approved these changes May 26, 2022
View reviewed changes
Copy link
Collaborator

@asraa asraa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed hash!

asraa@asraa1:~/git/slsa-verifier$ go run . -artifact-path ~/Downloads/slsa-verifier-linux-amd64 -provenance ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag v0.0.1
Verified against tlog entry 2461359
verified SLSA provenance produced at 
 {
	"caller": "slsa-framework/slsa-verifier",
	"commit": "f9e31da2a547a0c7093085a503c08a77167d5fea",
	"job_workflow_ref": "/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v0.0.1",
	"trigger": "push",
	"issuer": "https://token.actions.githubusercontent.com"
}
successfully verified SLSA provenance
asraa@asraa1:~/git/slsa-verifier$ sha256sum ~/Downloads/slsa-verifier-linux-amd64
60c91c9d5b9a059e37ac46da316f20c81da335b5d00e1f74d03dd50f819694bd  /home/asraa/Downloads/slsa-verifier-linux-amd64

@laurentsimon laurentsimon merged commit b18a9ec into slsa-framework:main May 26, 2022
@laurentsimon laurentsimon mentioned this pull request May 27, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asraa asraa asraa approved these changes

@ianlewis ianlewis Awaiting requested review from ianlewis

@MarkLodato MarkLodato Awaiting requested review from MarkLodato

@joshuagl joshuagl Awaiting requested review from joshuagl joshuagl is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@laurentsimon @asraa