From 594cbee1193dc9d58300603a962cc2de760d931a Mon Sep 17 00:00:00 2001 From: Chris Swan <478926+cpswan@users.noreply.github.com> Date: Tue, 5 Mar 2024 17:57:59 +0000 Subject: [PATCH] :book: Add `.sigstore` bundles to Signed-Releases docs (#3922) Signed-off-by: Chris Swan <478926+cpswan@users.noreply.github.com> --- docs/checks.md | 2 +- docs/checks/internal/checks.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/checks.md b/docs/checks.md index 07ff39dba067..79939e017f84 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -632,7 +632,7 @@ Signed releases attest to the provenance of the artifact. This check looks for the following filenames in the project's last five [release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases): [*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp), -*.sig, *.sign, [*.intoto.jsonl](https://slsa.dev). +*.sig, *.sign, *.sigstore, [*.intoto.jsonl](https://slsa.dev). If a signature is found in the assets for each release, a score of 8 is given. If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given. diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 64531d47d7a0..3bd6be036ac8 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -626,7 +626,7 @@ checks: This check looks for the following filenames in the project's last five [release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases): [*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp), - *.sig, *.sign, [*.intoto.jsonl](https://slsa.dev). + *.sig, *.sign, *.sigstore, [*.intoto.jsonl](https://slsa.dev). If a signature is found in the assets for each release, a score of 8 is given. If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.