diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bb53265966..43c19b1acf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -88,7 +88,7 @@ jobs: with: base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" upload-assets: true - upload-tag-name: "${{ needs.release.outputs.tag_name }}" + upload-tag-name: "${{ needs.goreleaser.outputs.tag_name }}" verification: needs: diff --git a/docs/install.md b/docs/install.md index 9f0596dcc1..a082592178 100644 --- a/docs/install.md +++ b/docs/install.md @@ -13,9 +13,15 @@ We generate [SLSA3 provenance](https://slsa.dev) using the OpenSSF's [slsa-frame ```shell $ curl -sSfL "https://github.com/ko-build/ko/releases/download/v${VERSION}/ko_${VERSION}_${OS}_${ARCH}.tar.gz" > ko.tar.gz -$ curl -sSfL https://github.com/ko-build/ko/releases/download/v${VERSION}/attestation.intoto.jsonl > provenance.intoto.jsonl -$ slsa-verifier -artifact-path ko.tar.gz -provenance provenance.intoto.jsonl -source github.com/google/ko -tag "v${VERSION}" - PASSED: Verified SLSA provenance +$ curl -sSfL https://github.com/ko-build/ko/releases/download/v${VERSION}/multiple.intoto.jsonl > multiple.intoto.jsonl +$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl --source-uri github.com/ko-build/ko --source-tag "v${VERSION}" ko.tar.gz +Verified signature against tlog entry index 24413745 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77ab97a5263b5fa8f35789618348a39358b1f9470b0c31045ef +fbbe5e23e77a5836 +Verified build using builder https://github.comslsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0 at commit 200db7243f02b5 +c0303e21d8ab8e3b4ad3a229d0 +Verifying artifact ko.tar.gz: PASSED + +PASSED: Verified SLSA provenance ``` ```shell