How do we verify release assets with provenance?

[suzuki-shunsuke]

Thank you for your great project.
This project releases pre-built binaries and provenance.

https://github.com/moby/buildkit/releases/tag/v0.13.1

• Support for provenance attestations #3240

So I tried to verify them with slsa-verifier, but it didn't work well.

I'm using slsa-verifier v2.5.1.

$ slsa-verifier version
  ____    _       ____       _             __     __  _____   ____    ___   _____   ___   _____   ____
 / ___|  | |     / ___|     / \            \ \   / / | ____| |  _ \  |_ _| |  ___| |_ _| | ____| |  _ \
 \___ \  | |     \___ \    / _ \    _____   \ \ / /  |  _|   | |_) |  | |  | |_     | |  |  _|   | |_) |
  ___) | | |___   ___) |  / ___ \  |_____|   \ V /   | |___  |  _ <   | |  |  _|    | |  | |___  |  _ <
 |____/  |_____| |____/  /_/   \_\            \_/    |_____| |_| \_\ |___| |_|     |___| |_____| |_| \_\
slsa-verifier: Verify SLSA provenance for Github Actions

GitVersion:    2.5.1
GitCommit:     eb7007070baa04976cb9e25a0d8034f8db030a86
GitTreeState:  clean
BuildDate:     2024-03-25T14:54:53
GoVersion:     go1.21.8
Compiler:      gc
Platform:      darwin/arm64

I tried to verify buildkit-v0.13.1.darwin-arm64.tar.gz with buildkit-v0.13.1.darwin-arm64.provenance.json, but slsa-verifier failed.

$ slsa-verifier verify-artifact \
  --provenance-path buildkit-v0.13.1.darwin-arm64.provenance.json \
  --source-uri github.com/moby/buildkit \
  buildkit-v0.13.1.darwin-arm64.tar.gz
No certificate provided, trying Redis search index to find entries by subject digest
Verifying artifact buildkit-v0.13.1.darwin-arm64.tar.gz: FAILED: error searching rekor entries: no matching entries found

FAILED: SLSA verification failed: error searching rekor entries: no matching entries found