From fe2848026d6db5aa6de9ef1ee8af7179c1e4e35e Mon Sep 17 00:00:00 2001
From: gal-legit <gal@legitsecurity.com>
Date: Tue, 22 Nov 2022 10:26:19 +0200
Subject: [PATCH] add notes

---
 internal/builders/generic/README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
index 8cd650d2d9..12c16bbda8 100644
--- a/internal/builders/generic/README.md
+++ b/internal/builders/generic/README.md
@@ -321,6 +321,10 @@ This section explains how to generate non-forgeable SLSA provenance with existin
 
 If you use [GoReleaser](https://github.com/goreleaser/goreleaser-action) to generate your build, you can easily
 generate SLSA3 provenance by updating your existing workflow with the steps indicated in the workflow below:
+**Notes**:
+- Make sure you did not disable checksum generation in the goreleaser yml.
+- Make sure you specified sha256 as the algorithm for the checksum or left it empty (sha256 is the default).
+- To enable provenance generation for dockers (as well as artifacts), use goreleaser version >= v1.13.0.
 
 1. Declare an `outputs` for the GoReleaser job:
 
@@ -331,7 +335,7 @@ jobs:
       hashes: ${{ steps.hash.outputs.hashes }}
 ```
 
-2. Add an `id: run-goreleaser` field to your goreleaser step. Use goreleaser version >= v1.13.0 to enable provenance generation for dockers.
+2. Add an `id: run-goreleaser` field to your goreleaser step:
 
 ```yaml
     steps: