mirror of
https://github.com/goreleaser/goreleaser.git
synced 2025-02-11 13:38:41 +02:00
b149223223
Great blog post! I added it to the documentation of the https://github.com/slsa-framework/slsa-github-generator :) This PR fixes the command to verify SLSA provenance in the blog post https://goreleaser.com/blog/slsa-generation-for-your-artifacts/. The verification for binary artifacts is correct. The verification for container images is incorrect: - The command verifies the identity of the builder only, but it should also verify the source repository - The command does not verify the release version, which _may_ allows an attacker to perform a downgrade attack. (not a super big deal, but still useful to close this gap if the image was built on a tag trigger) This follows the same steps on argoCD's documentation https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets/#verification-of-container-image-with-slsa-attestations Thanks! --------- Signed-off-by: laurentsimon <laurentsimon@google.com>
Documentation
Documentation is written in mkdocs and there are a few extensions that allow richer authoring than markdown.
To iterate with documentation, therefore, it is recommended to run the mkdocs server and view your pages in a browser.
Prerequisites
NOTE to M1/M2 mac owners
If running on an arm64-based mac (M1 or M2, aka "Applie Silicon"), you may find this method quite slow. Until multiarch docker images can be built and made available, you may wish to build your own via:
git clone git@github.com:squidfunk/mkdocs-material.git
docker build -t docker.io/squidfunk/mkdocs-material .