From b14922322317aa6522d05f6b24856fd89a760bbc Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Mon, 13 Nov 2023 07:35:44 -0800
Subject: [PATCH] feat(docs): Update command in SLSA verification blog post
 (#4420)

Great blog post! I added it to the documentation of the
https://github.com/slsa-framework/slsa-github-generator :)

This PR fixes the command to verify SLSA provenance in the blog post
https://goreleaser.com/blog/slsa-generation-for-your-artifacts/.

The verification for binary artifacts is correct.

The verification for container images is incorrect:
- The command verifies the identity of the builder only, but it should
also verify the source repository
- The command does not verify the release version, which _may_ allows an
attacker to perform a downgrade attack. (not a super big deal, but still
useful to close this gap if the image was built on a tag trigger)

This follows the same steps on argoCD's documentation
https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets/#verification-of-container-image-with-slsa-attestations

Thanks!

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
---
 .../2023-10-08-slsa-generation-for-your-artifacts.md | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md b/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md
index 2eda1734a7b..e5368001251 100644
--- a/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md
+++ b/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md
@@ -217,14 +217,12 @@ As you can see, generating SLSA provenance for your artifacts with GoReleaser an
           IMAGE: ${{ needs.goreleaser.outputs.image }}
           DIGEST: ${{ needs.goreleaser.outputs.digest }}
         run: |
-          cosign verify-attestation \
-             --type slsaprovenance \
-             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-             --certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
-             $IMAGE@$DIGEST
+          slsa-verifier verify-image "$IMAGE@DIGEST" \
+             --source-uri "github.com/$GITHUB_REPOSITORY" \
+             --source-tag "$GITHUB_REF_NAME"
 ```
 
-> _[slsa-verifier](https://github.com/slsa-framework/slsa-verifier) is a tool for verifying SLSA provenance that was generated by CI/CD builders.slsa-verifier verifies the provenance by verifying the cryptographic signatures on provenance to make sure it was created by the expected builder._
+> _[slsa-verifier](https://github.com/slsa-framework/slsa-verifier) is a tool for verifying SLSA provenance that was generated by CI/CD builders. slsa-verifier verifies the provenance by verifying the cryptographic signatures on provenance to make sure it was created by the expected builder (default to GitHub CI/CD) and the source repository the artifact was built from._
 
 > _[cosign](https://github.com/sigstore/cosign) allows developers to sign artifacts with digital signatures, ensuring the authenticity and integrity of the artifacts. It also enables users to verify signatures on artifacts to confirm that they haven't been tampered with._
 
@@ -232,4 +230,4 @@ Both cosign and slsa-verifier play crucial roles in enhancing the security and t
 
 ## Conclusion
 
-In this blog post, we explored how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process. We also discussed the importance of software supply chain security and how SLSA provenance can help you enhance the security and trustworthiness of your software supply chain. We hope that this blog post has been helpful in understanding how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process. If you have any questions or feedback, please feel free to reach out to us on GoReleaser discord channel. We would love to hear from you!
\ No newline at end of file
+In this blog post, we explored how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process. We also discussed the importance of software supply chain security and how SLSA provenance can help you enhance the security and trustworthiness of your software supply chain. We hope that this blog post has been helpful in understanding how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process. If you have any questions or feedback, please feel free to reach out to us on GoReleaser discord channel. We would love to hear from you!