diff --git a/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md b/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md index 2eda1734a7b..e5368001251 100644 --- a/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md +++ b/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md @@ -217,14 +217,12 @@ As you can see, generating SLSA provenance for your artifacts with GoReleaser an IMAGE: ${{ needs.goreleaser.outputs.image }} DIGEST: ${{ needs.goreleaser.outputs.digest }} run: | - cosign verify-attestation \ - --type slsaprovenance \ - --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - --certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \ - $IMAGE@$DIGEST + slsa-verifier verify-image "$IMAGE@DIGEST" \ + --source-uri "github.com/$GITHUB_REPOSITORY" \ + --source-tag "$GITHUB_REF_NAME" ``` -> _[slsa-verifier](https://github.com/slsa-framework/slsa-verifier) is a tool for verifying SLSA provenance that was generated by CI/CD builders.slsa-verifier verifies the provenance by verifying the cryptographic signatures on provenance to make sure it was created by the expected builder._ +> _[slsa-verifier](https://github.com/slsa-framework/slsa-verifier) is a tool for verifying SLSA provenance that was generated by CI/CD builders. slsa-verifier verifies the provenance by verifying the cryptographic signatures on provenance to make sure it was created by the expected builder (default to GitHub CI/CD) and the source repository the artifact was built from._ > _[cosign](https://github.com/sigstore/cosign) allows developers to sign artifacts with digital signatures, ensuring the authenticity and integrity of the artifacts. It also enables users to verify signatures on artifacts to confirm that they haven't been tampered with._ @@ -232,4 +230,4 @@ Both cosign and slsa-verifier play crucial roles in enhancing the security and t ## Conclusion -In this blog post, we explored how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process. We also discussed the importance of software supply chain security and how SLSA provenance can help you enhance the security and trustworthiness of your software supply chain. We hope that this blog post has been helpful in understanding how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process. If you have any questions or feedback, please feel free to reach out to us on GoReleaser discord channel. We would love to hear from you! \ No newline at end of file +In this blog post, we explored how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process. We also discussed the importance of software supply chain security and how SLSA provenance can help you enhance the security and trustworthiness of your software supply chain. We hope that this blog post has been helpful in understanding how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process. If you have any questions or feedback, please feel free to reach out to us on GoReleaser discord channel. We would love to hear from you!