lvyaoting
|
eba43c289e
|
chore: fix some comments (#4769)
fix some comments
Signed-off-by: lvyaoting <lvyaoting@outlook.com>
|
2024-04-08 10:08:09 -03:00 |
|
Oleksandr Redko
|
f6615b138b
|
docs: fix typos (#4764)
This PR corrects grammar mistakes in documentation:
- artefacts -> artifacts
- Dockefile -> Dockerfile
- compliation -> compilation
- gorleaser -> goreleaser
- repositores -> repositories
- succesfull -> successful
|
2024-04-07 23:04:15 -03:00 |
|
Carlos Alexandro Becker
|
87aa3b6251
|
docs(blog): fixed backlinks, imported last post
refs #3503
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
|
2024-02-04 17:36:45 -03:00 |
|
Carlos Alexandro Becker
|
7e481967b3
|
docs: update users, blog posts divider
|
2023-12-04 13:51:23 -03:00 |
|
laurentsimon
|
b149223223
|
feat(docs): Update command in SLSA verification blog post (#4420)
Great blog post! I added it to the documentation of the
https://github.com/slsa-framework/slsa-github-generator :)
This PR fixes the command to verify SLSA provenance in the blog post
https://goreleaser.com/blog/slsa-generation-for-your-artifacts/.
The verification for binary artifacts is correct.
The verification for container images is incorrect:
- The command verifies the identity of the builder only, but it should
also verify the source repository
- The command does not verify the release version, which _may_ allows an
attacker to perform a downgrade attack. (not a super big deal, but still
useful to close this gap if the image was built on a tag trigger)
This follows the same steps on argoCD's documentation
https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets/#verification-of-container-image-with-slsa-attestations
Thanks!
---------
Signed-off-by: laurentsimon <laurentsimon@google.com>
|
2023-11-13 12:35:44 -03:00 |
|
Batuhan Apaydın
|
a932dd85de
|
SLSA Provenance generation blog post (#4361)
kindly ping @Dentrax
Signed-off-by: Batuhan Apaydin <batuhan.apaydin@chainguard.dev>
|
2023-10-11 09:41:49 -03:00 |
|