-
Notifications
You must be signed in to change notification settings - Fork 48
/
verify-release.sh
40 lines (31 loc) · 785 Bytes
/
verify-release.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/bin/bash
set -euo pipefail
if [ "$#" -ne 1 ]; then
echo "Usage: $0 tag"
exit 1
fi
# Verify GH_TOKEN is set.
if [[ -z "${GH_TOKEN:-}" ]]; then
echo "GH_TOKEN is unset"
exit 1
fi
# Set the gh CLI.
if [[ -z "${GH:-}" ]]; then
GH="gh"
fi
dir=$(mktemp -d)
tag="$1"
mkdir -p "${dir}"
rm -rf "${dir:?}/"* 2>/dev/null || true
echo "INFO: using dir: ${dir}"
echo
# Download artifacts and provenance.
cd "${dir}"
"${GH}" release -R slsa-framework/slsa-verifier download "${tag}"
cd -
for file in "${dir}"/*; do
if [[ "${file}" == *".intoto.jsonl" ]]; then
continue
fi
go run ./cli/slsa-verifier verify-artifact "${file}" --provenance-path "${file}".intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag "${tag}"
done