feat(docs): Update command in SLSA verification blog post (#4420)

Great blog post! I added it to the documentation of the https://github.com/slsa-framework/slsa-github-generator :) This PR fixes the command to verify SLSA provenance in the blog post https://goreleaser.com/blog/slsa-generation-for-your-artifacts/. The verification for binary artifacts is correct. The verification for container images is incorrect: - The command verifies the identity of the builder only, but it should also verify the source repository - The command does not verify the release version, which _may_ allows an attacker to perform a downgrade attack. (not a super big deal, but still useful to close this gap if the image was built on a tag trigger) This follows the same steps on argoCD's documentation https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets/#verification-of-container-image-with-slsa-attestations Thanks! --------- Signed-off-by: laurentsimon <laurentsimon@google.com>
2025-07-03 00:57:43 +02:00 · 2023-11-13 07:35:44 -08:00
parent c4a33d5b83
commit b149223223
1 changed files with 5 additions and 7 deletions
--- a/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md
+++ b/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md
@ -217,14 +217,12 @@ As you can see, generating SLSA provenance for your artifacts with GoReleaser an
          IMAGE: ${{ needs.goreleaser.outputs.image }}
          DIGEST: ${{ needs.goreleaser.outputs.digest }}
        run: |
-          cosign verify-attestation \
-             --type slsaprovenance \
-             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-             --certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
-             $IMAGE@$DIGEST
+          slsa-verifier verify-image "$IMAGE@DIGEST" \
+             --source-uri "github.com/$GITHUB_REPOSITORY" \
+             --source-tag "$GITHUB_REF_NAME"
 ```

-> _[slsa-verifier](https://github.com/slsa-framework/slsa-verifier) is a tool for verifying SLSA provenance that was generated by CI/CD builders.slsa-verifier verifies the provenance by verifying the cryptographic signatures on provenance to make sure it was created by the expected builder._
+> _[slsa-verifier](https://github.com/slsa-framework/slsa-verifier) is a tool for verifying SLSA provenance that was generated by CI/CD builders. slsa-verifier verifies the provenance by verifying the cryptographic signatures on provenance to make sure it was created by the expected builder (default to GitHub CI/CD) and the source repository the artifact was built from._

 > _[cosign](https://github.com/sigstore/cosign) allows developers to sign artifacts with digital signatures, ensuring the authenticity and integrity of the artifacts. It also enables users to verify signatures on artifacts to confirm that they haven't been tampered with._