verifier: update verifier version to v1.3.2 #1184

asraa · 2022-10-31T21:03:31Z

Signed-off-by: Asra Ali asraa@google.com

Pending slsa-framework/slsa-verifier#347

To verify, see that PR:

Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.3.2 (or the other)
Clone the slsa-verifier repo, compile and verify the provenance:

$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
$  go run ./cli/slsa-verifier verify-artifact ~/Downloads/slsa-verifier-linux-amd64 --provenance-path ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v1.3.2 --source-branch release/v1.3

Get the hash.
Either:

cat slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'

or

sha256sum slsa-verifier-linux-amd64

Signed-off-by: Asra Ali <asraa@google.com>

ianlewis · 2022-11-01T00:26:23Z

Verified the binary that I downloaded to ~/bin/slsa-verifier

ianlewis@ianlewis at 00:22:39+0000 git:(main $%>) (default)
slsa-verifier$ go run ./cli/slsa-verifier verify-artifact ~/bin/slsa-verifier --provenance-path ~/bin/slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag v1.3.2 --source-branch release/v1.3
go: downloading github.com/spf13/cobra v1.6.1
Verified signature against tlog entry index 6245441 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a6aff24603330a8a53da672f2fbdb0b42bcd8964b0120c271b631bd97fb7f2332
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.1 at commit 0ff665615b2021bbd64762265846bace606e0904
PASSED: Verified SLSA provenance

ianlewis@ianlewis at 00:24:02+0000 git:(main $%>) (default)
slsa-verifier$ sha256sum ~/bin/slsa-verifier
b1d6c9bbce6274e253f0be33158cacd7fb894c5ebd643f14a911bfe55574f4c0  /usr/local/google/home/ianlewis/bin/slsa-verifier

ianlewis

Verified the sha256sum is the same. LGTM

ianlewis · 2022-11-01T00:39:00Z

slsa-framework/slsa-verifier#347 is merged so merging this too.

verifier: update verifier version to v1.3.2

2f8f492

Signed-off-by: Asra Ali <asraa@google.com>

asraa requested review from ianlewis, laurentsimon and joshuagl as code owners October 31, 2022 21:03

ianlewis approved these changes Nov 1, 2022

View reviewed changes

ianlewis merged commit 67e7b12 into slsa-framework:main Nov 1, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

verifier: update verifier version to v1.3.2 #1184

verifier: update verifier version to v1.3.2 #1184

asraa commented Oct 31, 2022

ianlewis commented Nov 1, 2022

ianlewis left a comment

ianlewis commented Nov 1, 2022

verifier: update verifier version to v1.3.2 #1184

verifier: update verifier version to v1.3.2 #1184

Conversation

asraa commented Oct 31, 2022

ianlewis commented Nov 1, 2022

ianlewis left a comment

Choose a reason for hiding this comment

ianlewis commented Nov 1, 2022