Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(docs): Update command in SLSA verification blog post #4420

Merged
merged 2 commits into from Nov 13, 2023
Merged

feat(docs): Update command in SLSA verification blog post #4420

merged 2 commits into from Nov 13, 2023

Conversation

laurentsimon
Copy link
Contributor

@laurentsimon laurentsimon commented Nov 10, 2023
edited

Great blog post! I added it to the documentation of the https://github.com/slsa-framework/slsa-github-generator :)

This PR fixes the command to verify SLSA provenance in the blog post https://goreleaser.com/blog/slsa-generation-for-your-artifacts/.

The verification for binary artifacts is correct.

The verification for container images is incorrect:

  • The command verifies the identity of the builder only, but it should also verify the source repository
  • The command does not verify the release version, which may allows an attacker to perform a downgrade attack. (not a super big deal, but still useful to close this gap if the image was built on a tag trigger)

This follows the same steps on argoCD's documentation https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets/#verification-of-container-image-with-slsa-attestations

Thanks!

@laurentsimon
update command
fb70374 
Signed-off-by: laurentsimon <laurentsimon@google.com>
@pull-request-size pull-request-size bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Nov 10, 2023
@laurentsimon laurentsimon changed the title feat(docs): Update command insecure command in SLSA verification blog post feat(docs): Update command in SLSA verification blog post Nov 10, 2023
@laurentsimon
update text
31eee53 
Signed-off-by: laurentsimon <laurentsimon@google.com>
@caarlos0
Copy link
Member

LGTM.

cc/ @developer-guy

developer-guy
developer-guy approved these changes Nov 13, 2023
View reviewed changes
Copy link
Member

@developer-guy developer-guy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM approved, thanks @laurentsimon for improving the blog 😋

@caarlos0 caarlos0 merged commit b149223 into goreleaser:main Nov 13, 2023
4 of 6 checks passed
@github-actions github-actions bot added this to the v2.0.0 milestone Nov 13, 2023
@caarlos0 caarlos0 modified the milestones: v2.0.0, v1.23.0 Feb 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@caarlos0 caarlos0 caarlos0 approved these changes

@developer-guy developer-guy developer-guy approved these changes

Assignees
No one assigned
Labels
size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.23.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@laurentsimon @caarlos0 @developer-guy