Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

releases: add new releases to SHA256SUM.md #347

Merged
merged 1 commit into from
Nov 1, 2022
Merged

releases: add new releases to SHA256SUM.md #347

merged 1 commit into from
Nov 1, 2022

Conversation

asraa
Copy link
Contributor

@asraa asraa commented Oct 31, 2022

Signed-off-by: Asra Ali asraa@google.com

To verify these hashes, do the following for https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.3.2, https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.2.2, https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.1.3, https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.0.5

  1. Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.3.2 (or the other)
  2. Clone the slsa-verifier repo, compile and verify the provenance:
$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$  go run ./cli/slsa-verifier verify-artifact ~/Downloads/slsa-verifier-linux-amd64 --provenance-path ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v1.3.2 --source-branch release/v1.3
  1. Get the hash.
    Either:
cat slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'

or

sha256sum slsa-verifier-linux-amd64

@asraa
add new releases
9332c23 
Signed-off-by: Asra Ali <asraa@google.com>
@asraa
Copy link
Contributor Author

asraa commented Oct 31, 2022

You can use this scripts at main in this repository:
https://gist.github.com/asraa/114d70bb51fffba29503a50c81c5435b

@asraa asraa requested a review from kpk47 October 31, 2022 21:01
@asraa asraa mentioned this pull request Oct 31, 2022
Merged
ianlewis
ianlewis approved these changes Nov 1, 2022
View reviewed changes
Copy link
Member

@ianlewis ianlewis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ianlewis
Copy link
Member

ianlewis commented Nov 1, 2022

Done

ianlewis@ianlewis at 00:34:26+0000 git:(main $%>) (default)
slsa-verifier$ ./verify-releases.sh 

Verified v1.3.2 with sha
b1d6c9bbce6274e253f0be33158cacd7fb894c5ebd643f14a911bfe55574f4c0

Verified v1.2.2 with sha
18f49bffa97b8b4e241cc6a5f04a2edfb32d11a4162928ffa255ce6a59699630

Verified v1.1.3 with sha
fac369a43cc118525a2b12476f39d10c430e7183fcb70351e800686c33583f6e

Verified v1.0.5 with sha
b889a9d34237a0c7d64096bf4af4c200c081cc9bc3b0c60585eac9c4dd5d6d10

@ianlewis ianlewis merged commit 26f422b into slsa-framework:main Nov 1, 2022
@laurentsimon laurentsimon mentioned this pull request Dec 2, 2022
Merged
ramonpetgrave64 pushed a commit to ramonpetgrave64/slsa-verifier that referenced this pull request Apr 18, 2024
@dependabot @asraa
🌱 Bump github.com/sigstore/rekor from 0.8.0 to 0.8.1 (slsa-framework#347
21c07c4 
)

Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 0.8.0 to 0.8.1.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](sigstore/rekor@v0.8.0...v0.8.1)

---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: asraa <asraa@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ianlewis ianlewis ianlewis approved these changes

@laurentsimon laurentsimon Awaiting requested review from laurentsimon

@kpk47 kpk47 Awaiting requested review from kpk47

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@asraa @ianlewis