Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Fix version generation in PROVENANCE file #272

Merged
merged 1 commit into from
Mar 1, 2024
Merged

docs: Fix version generation in PROVENANCE file #272

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions PROVENANCE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,26 +7,32 @@ As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0
To verify SLSA provenance attestations, we recommend using [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Example usage for verifying SDK packages is included below:

<!-- x-release-please-start-version -->
```
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rsoberano-ld here is the fix for the release please version replacement problem we saw in the currently pending release.

Look okay to you?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, this looks like it should work nicely! Thanks for the fix

# Set the version of the SDK to verify
SDK_VERSION=9.2.0
```
<!-- x-release-please-end -->


```
# Download package from PyPi
$ pip download --only-binary=:all: launchdarkly-server-sdk
$ pip download --only-binary=:all: launchdarkly-server-sdk==${SDK_VERSION}

# Download provenance from Github release into same directory
$ curl --location -O \
https://github.com/launchdarkly/python-server-sdk/releases/download/9.2.0/multiple.intoto.jsonl
https://github.com/launchdarkly/python-server-sdk/releases/download/${SDK_VERSION}/multiple.intoto.jsonl

# Run slsa-verifier to verify provenance against package artifacts
$ slsa-verifier verify-artifact \
--provenance-path multiple.intoto.jsonl \
--source-uri github.com/launchdarkly/python-server-sdk \
launchdarkly_server_sdk-9.2.0-py3-none-any.whl
launchdarkly_server_sdk-${SDK_VERSION}-py3-none-any.whl
Verified signature against tlog entry index 71399397 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a95c53f2cb33fe2e8c8fbc04591ebf26e4d2796fb2975c3ba377f1dc14507f421
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0" at commit 5e818265c9f85ae9a111290bd6a4fad1a08786e9
Verifying artifact launchdarkly_server_sdk-9.2.0-py3-none-any.whl: PASSED
Verifying artifact launchdarkly_server_sdk-${SDK_VERSION}-py3-none-any.whl: PASSED

PASSED: Verified SLSA provenance
```
<!-- x-release-please-end -->

Alternatively, to verify the provenance manually, the SLSA framework specifies [recommendations for verifying build artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) in their documentation.

Expand Down