Comments (3)
suzuki-shunsuke
commented on August 19, 2024
2
Thank you for releasing v0.9.6. https://github.com/xeol-io/xeol/releases/tag/v0.9.6
I confirmed it worked well.
With --source-tag.
$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl xeol_0.9.6_darwin_amd64.tar.gz --source-uri=github.com/xeol-io/xeol --source-tag v0.9.6
Verified signature against tlog entry index 46062323 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa88a6a1f5d964cb49fe320aad0dd8405f525e511ec4effde4a20f8eab4aac9eb
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0 at commit 61495c864e29bb51a3bbb3cef928db6c57a2d386
Verifying artifact xeol_0.9.6_darwin_amd64.tar.gz: PASSED
PASSED: Verified SLSA provenanceWithout --source-tag.
$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl xeol_0.9.6_darwin_amd64.tar.gz --source-uri=github.com/xeol-io/xeol
Verified signature against tlog entry index 46062323 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa88a6a1f5d964cb49fe320aad0dd8405f525e511ec4effde4a20f8eab4aac9eb
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0 at commit 61495c864e29bb51a3bbb3cef928db6c57a2d386
Verifying artifact xeol_0.9.6_darwin_amd64.tar.gz: PASSED
PASSED: Verified SLSA provenanceWith invalid --source-tag.
$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl xeol_0.9.6_darwin_amd64.tar.gz --source-uri=github.com/xeol-io/xeol --source-tag v0.9.5
Verified signature against tlog entry index 46062323 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa88a6a1f5d964cb49fe320aad0dd8405f525e511ec4effde4a20f8eab4aac9eb
Verifying artifact xeol_0.9.6_darwin_amd64.tar.gz: FAILED: expected tag 'refs/tags/v0.9.5', got 'refs/tags/v0.9.6': tag used to generate the binary does not match provenance
FAILED: SLSA verification failed: expected tag 'refs/tags/v0.9.5', got 'refs/tags/v0.9.6': tag used to generate the binary does not match provenancefrom xeol.
noqcks
commented on August 19, 2024
1
ah yes, that is correct, we will need to update the workflows to trigger on a tag instead of via workflow_dispatch. From the slsa-verifier docs.
source-tag: Expects a tag like v0.0.1. Verifies exact tag used to create the binary. Supported for new tag and release triggers.
from xeol.
suzuki-shunsuke
commented on August 19, 2024
I see. I created a pull request to resolve the issue.
from xeol.
Related Issues (20)
- [bug]Not picking up EOL springboot HOT 3
- --lookahead doesn't seem to work HOT 2
- [datasource] Add support for base image deprecation
- Go Module Install/I can't read HOT 2
- Xeol should only use git url when necessary HOT 1
- Not finding EOL software in container images HOT 5
- Not finding EOL'ed versions of HAProxy HOT 1
- Not finding EOL'ed version of nginx in container image
- Confusing warning message
- Allow configurable regex normalization
- [Request] Self Hosted Option HOT 2
- Allow configurable tmp dir for docker image load HOT 1
- xeol fails if sbom.xml is missing some xml tags HOT 1
- copying xeol to `/usr/local/bin` would need root privileges HOT 1
- xeol unable to decode syft-json from versions of syft newer than v0.92 HOT 5
- Better Maven package support HOT 4
- --lookahead flag reports wrong identifier for Months in help CLI HOT 1
- Not finding EOL'ed version of prometheus HOT 1
- open source the data collection scripts HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xeol.