mirror of
https://github.com/goreleaser/goreleaser.git
synced 2025-02-09 13:36:56 +02:00
b149223223
Great blog post! I added it to the documentation of the https://github.com/slsa-framework/slsa-github-generator :) This PR fixes the command to verify SLSA provenance in the blog post https://goreleaser.com/blog/slsa-generation-for-your-artifacts/. The verification for binary artifacts is correct. The verification for container images is incorrect: - The command verifies the identity of the builder only, but it should also verify the source repository - The command does not verify the release version, which _may_ allows an attacker to perform a downgrade attack. (not a super big deal, but still useful to close this gap if the image was built on a tag trigger) This follows the same steps on argoCD's documentation https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets/#verification-of-container-image-with-slsa-attestations Thanks! --------- Signed-off-by: laurentsimon <laurentsimon@google.com>