Skip to content

chore: Fix provenance generation commands #254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
keelerm84 merged 1 commit into from
Mar 18, 2024
Merged

chore: Fix provenance generation commands #254

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 21 additions & 4 deletions PROVENANCE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,36 @@ As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0

To verify SLSA provenance attestations, we recommend using [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Example usage for verifying SDK packages is included below:

<!-- x-release-please-start-version -->
```
# Set the version of the SDK to verify
SDK_VERSION=8.3.0
```
<!-- x-release-please-end -->

```
# Download gem
$ gem fetch launchdarkly-server-sdk
$ gem fetch launchdarkly-server-sdk -v $SDK_VERSION

# Download provenance from Github release
$ curl --location -O \
https://github.com/launchdarkly/ruby-server-sdk/releases/download/VERSION/multiple.intoto.jsonl
https://github.com/launchdarkly/ruby-server-sdk/releases/download/${SDK_VERSION}/launchdarkly-server-sdk-${SDK_VERSION}.gem.intoto.jsonl

# Run slsa-verifier to verify provenance against package artifacts
$ slsa-verifier verify-artifact \
--provenance-path multiple-provenance.intoto.jsonl \
--provenance-path launchdarkly-server-sdk-${SDK_VERSION}.gem.intoto.jsonl \
--source-uri github.com/launchdarkly/ruby-server-sdk \
launchdarkly-server-sdk-VERSION.gem
launchdarkly-server-sdk-${SDK_VERSION}.gem
```

Below is a sample of expected output.

```
Verified signature against tlog entry index 78214752 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77ab941c118ef7e0b2d656b962a0d670c6ac91cfa37d07b7b121ae560b00a978ecf
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0" at commit f43b3ad834103fdc282652efbfe4963e8dfa737b
Verifying artifact launchdarkly-server-sdk-8.3.0.gem: PASSED

PASSED: Verified SLSA provenance
```

Alternatively, to verify the provenance manually, the SLSA framework specifies [recommendations for verifying build artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) in their documentation.
Expand Down