feat(docs): Update command in SLSA verification blog post (#4420)

Great blog post! I added it to the documentation of the https://github.com/slsa-framework/slsa-github-generator :) This PR fixes the command to verify SLSA provenance in the blog post https://goreleaser.com/blog/slsa-generation-for-your-artifacts/. The verification for binary artifacts is correct. The verification for container images is incorrect: - The command verifies the identity of the builder only, but it should also verify the source repository - The command does not verify the release version, which _may_ allows an attacker to perform a downgrade attack. (not a super big deal, but still useful to close this gap if the image was built on a tag trigger) This follows the same steps on argoCD's documentation https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets/#verification-of-container-image-with-slsa-attestations Thanks! --------- Signed-off-by: laurentsimon <laurentsimon@google.com>
goreleaser · Nov 13, 2023 · b149223 · b149223
1 parent c4a33d5
commit b149223
Showing 1 changed file with 5 additions and 7 deletions.
diff --git a/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md b/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md
@@ -217,19 +217,17 @@ As you can see, generating SLSA provenance for your artifacts with GoReleaser an
           IMAGE: ${{ needs.goreleaser.outputs.image }}
           DIGEST: ${{ needs.goreleaser.outputs.digest }}
         run: |
-          cosign verify-attestation \
-             --type slsaprovenance \
-             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-             --certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
-             $IMAGE@$DIGEST
+          slsa-verifier verify-image "$IMAGE@DIGEST" \
+             --source-uri "github.com/$GITHUB_REPOSITORY" \
+             --source-tag "$GITHUB_REF_NAME"
 ```
 
-> _[slsa-verifier](https://github.com/slsa-framework/slsa-verifier) is a tool for verifying SLSA provenance that was generated by CI/CD builders.slsa-verifier verifies the provenance by verifying the cryptographic signatures on provenance to make sure it was created by the expected builder._
+> _[slsa-verifier](https://github.com/slsa-framework/slsa-verifier) is a tool for verifying SLSA provenance that was generated by CI/CD builders. slsa-verifier verifies the provenance by verifying the cryptographic signatures on provenance to make sure it was created by the expected builder (default to GitHub CI/CD) and the source repository the artifact was built from._
 
 > _[cosign](https://github.com/sigstore/cosign) allows developers to sign artifacts with digital signatures, ensuring the authenticity and integrity of the artifacts. It also enables users to verify signatures on artifacts to confirm that they haven't been tampered with._
 
 Both cosign and slsa-verifier play crucial roles in enhancing the security and trustworthiness of software supply chains, particularly in containerized and cloud-native application development. To get the latest information and updates on these tools, it's recommended to refer to their respective documentation and GitHub repositories or official websites.
 
 ## Conclusion
 
-In this blog post, we explored how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process. We also discussed the importance of software supply chain security and how SLSA provenance can help you enhance the security and trustworthiness of your software supply chain. We hope that this blog post has been helpful in understanding how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process. If you have any questions or feedback, please feel free to reach out to us on GoReleaser discord channel. We would love to hear from you!
+In this blog post, we explored how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process. We also discussed the importance of software supply chain security and how SLSA provenance can help you enhance the security and trustworthiness of your software supply chain. We hope that this blog post has been helpful in understanding how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process. If you have any questions or feedback, please feel free to reach out to us on GoReleaser discord channel. We would love to hear from you!