Skip to content

Commit e2d575c

Browse files
asraaasraa
authored
update crane installation instructions and release verification (#1440)
Signed-off-by: Asra Ali <[email protected]> Signed-off-by: Asra Ali <[email protected]>
1 parent 2859a0d commit e2d575c

File tree

2 files changed

+63
-2
lines changed

2 files changed

+63
-2
lines changed

.github/workflows/release.yml

+45-1
Original file line numberDiff line numberDiff line change
@@ -43,4 +43,48 @@ jobs:
4343
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
4444
with:
4545
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
46-
upload-assets: true # upload to a new release
46+
upload-assets: true # upload to a new release
47+
48+
verification:
49+
needs: [goreleaser, provenance]
50+
runs-on: ubuntu-latest
51+
permissions: read-all
52+
steps:
53+
# Note: this will be replaced with the GHA in the future.
54+
# See https://github.com/slsa-framework/slsa-verifier/issues/95
55+
- name: Install the verifier
56+
env:
57+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
58+
run: |
59+
set -euo pipefail
60+
gh -R slsa-framework/slsa-verifier release download v1.2.0 -p "slsa-verifier-linux-amd64"
61+
chmod ug+x slsa-verifier-linux-amd64
62+
# Note: see https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md
63+
COMPUTED_HASH=$(sha256sum slsa-verifier-linux-amd64 | cut -d ' ' -f1)
64+
EXPECTED_HASH="37db23392c7918bb4e243cdb097ed5f9d14b9b965dc1905b25bc2d1c0c91bf3d"
65+
if [[ "$EXPECTED_HASH" != "$COMPUTED_HASH" ]];then
66+
echo "error: expected $EXPECTED_HASH, computed $COMPUTED_HASH"
67+
exit 1
68+
fi
69+
- name: Download assets
70+
env:
71+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
72+
run: |
73+
set -euo pipefail
74+
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
75+
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "attestation.intoto.jsonl"
76+
- name: Verify assets
77+
env:
78+
CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
79+
PROVENANCE: "${{ needs.provenance.outputs.attestation-name }}"
80+
run: |
81+
set -euo pipefail
82+
checksums=$(echo "$CHECKSUMS" | base64 -d)
83+
while read -r line; do
84+
fn=$(echo $line | cut -d ' ' -f2)
85+
echo "Verifying $fn"
86+
./slsa-verifier-linux-amd64 -artifact-path "$fn" \
87+
-provenance "$PROVENANCE" \
88+
-source "github.com/$GITHUB_REPOSITORY" \
89+
-tag "$GITHUB_REF_NAME"
90+
done <<<"$checksums"

cmd/crane/README.md

+18-1
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,25 @@ A collection of useful things you can do with `crane` is [here](recipes.md).
99

1010
## Installation
1111

12-
Download [latest release](https://github.com/google/go-containerregistry/releases/latest).
12+
### Install from Releases
13+
Download [latest release](https://github.com/google/go-containerregistry/releases/latest):
1314

15+
```
16+
$ VERSION=TODO # Latest, or other
17+
$ OS=Linux # or Darwin, Windows
18+
$ ARCH=x86_64 # or arm64, x86_64, armv6, i386, s390x
19+
$ curl -sL "https://github.com/google/go-containerregistry/releases/download/v${VERSION}/go-containerregistry_${VERSION}_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz
20+
```
21+
22+
We generate [SLSA 3 provenance](https://slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). To verify our release, install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation) and verify as follows:
23+
24+
```
25+
$ curl -sL https://github.com/google/go-containerregistry/releases/download/v${VERSION}/attestation.intoto.jsonl > provenance.intoto.jsonl
26+
$ slsa-verifier -artifact-path go-containerregistry.tar.gz -provenance provenance.intoto.jsonl -source github.com/google/go-containerregistry -tag "v${VERSION}"
27+
PASSED: Verified SLSA provenance
28+
```
29+
30+
### Install manually
1431
Install manually:
1532

1633
```

0 commit comments

Comments
 (0)