Skip to content

Commit

Permalink
📖 Fix links. (#2703)
Browse files Browse the repository at this point in the history
* Fix link.

Signed-off-by: Theodore Tsirpanis <teo@tsirpanis.gr>

* Update two more links.

Signed-off-by: Theodore Tsirpanis <teo@tsirpanis.gr>

---------

Signed-off-by: Theodore Tsirpanis <teo@tsirpanis.gr>
  • Loading branch information
teo-tsirpanis authored Feb 28, 2023
1 parent 35a7dd5 commit 8add330
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,7 @@ Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to identify y

###### Verifying SLSA provenance for downloaded releases

We generate [SLSA3 signatures](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a release binary:
We generate [SLSA3 signatures](https://slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a release binary:
1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation).
2. Download the signature file `attestation.intoto.jsonl` from the [GitHub releases page](https://github.com/GoogleContainerTools/jib/releases/latest).
3. Run the verifier:
Expand Down
2 changes: 1 addition & 1 deletion docs/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -589,7 +589,7 @@ Signed releases attest to the provenance of the artifact.
This check looks for the following filenames in the project's last five
[release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases):
[*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
*.sig, *.sign, [*.intoto.jsonl](slsa.dev).
*.sig, *.sign, [*.intoto.jsonl](https://slsa.dev).

If a signature is found in the assets for each release, a score of 8 is given.
If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.
Expand Down
2 changes: 1 addition & 1 deletion docs/checks/internal/checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -621,7 +621,7 @@ checks:
This check looks for the following filenames in the project's last five
[release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases):
[*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
*.sig, *.sign, [*.intoto.jsonl](slsa.dev).
*.sig, *.sign, [*.intoto.jsonl](https://slsa.dev).
If a signature is found in the assets for each release, a score of 8 is given.
If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.
Expand Down

0 comments on commit 8add330

Please sign in to comment.