chore: Update doc for v2.4.0 (#699)

How to LGTM this PR (I'll work on a proper doc for this in https://github.com/slsa-framework/slsa-github-generator/issues/112): 1. Clone repo ``` $ git clone git@github.com:slsa-framework/slsa-verifier.git $ cd slsa-verifier $ bash verify-release.sh v2.4.0 # NOTE: use the file in _this_ PR. # Note down the path to the temporary dir use. The bash script will print its first line as "INFO: using dir: /tmp/tmp.VaYi6HfbmL" ``` 2. Run command below and compare to SHA256SUM.md in this PR ``` $sha256sum /tmp/tmp.VaYi6HfbmL/* ``` The output hash should be the hash I'm updating to in this PR. If they match, LGTM. If they don't, someone tampered with the released binary and don't LGTM --------- Signed-off-by: laurentsimon <laurentsimon@google.com>
2026-02-14 17:49:58 +00:00 · 2023-08-25 12:09:40 -07:00
parent 886eb4b109
commit d23c97947e
5 changed files with 54 additions and 4 deletions
--- a/README.md
+++ b/README.md
@@ -97,7 +97,7 @@ You have two options to install the verifier.
 If you want to install the verifier, you can run the following command:

 ```bash
-$ go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.3.0
+$ go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.4.0
 $ slsa-verifier <options>
 ```

@@ -143,7 +143,7 @@ $ go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier

 ```bash
 $ git clone git@github.com:slsa-framework/slsa-verifier.git
-$ cd slsa-verifier && git checkout v2.3.0
+$ cd slsa-verifier && git checkout v2.4.0
 $ go run ./cli/slsa-verifier <options>
 ```

@@ -153,7 +153,7 @@ If you need to install the verifier to run in a GitHub workflow, use the install

 ### Download the binary

-Download the binary from the latest release at [https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.3.0](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.3.0)
+Download the binary from the latest release at [https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0)

 Download the [SHA256SUM.md](https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md).

--- a/RELEASE.md
+++ b/RELEASE.md
@@ -83,6 +83,7 @@ Follow the steps:
 $ git clone git@github.com:slsa-framework/slsa-verifier.git
 $ cd slsa-verifier
 # $ (Optional: git checkout tags/v1.1.1: you may need to change the command below)
+# You can run `bash verify-release.sh vX.Y.Z`: it will download all artifacts and verify them.
 $ go run ./cli/slsa-verifier verify-artifact ~/Downloads/slsa-verifier-linux-amd64 --provenance-path ~/Downloads/slsa-verifier-linux-amd64.intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag vX.Y.Z
 ```

--- a/SHA256SUM.md
+++ b/SHA256SUM.md
@@ -1,3 +1,12 @@
+### [v2.4.0](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0)
+
+9e67318937b936014b6127affc14bc45f1fb10d9899b0105877778e8179b3029  slsa-verifier-darwin-amd64
+b55009be65f8f6dae4399522e4ab5685a5cfe0b72dca3134f12ba144b8860607  slsa-verifier-darwin-arm64
+9883e4c7fd0fead95815de1533db62d1ae19daf9d333b359e192fc65ffb401b2  slsa-verifier-linux-amd64
+bb025462acd9e93da32694e3ed82bfa57cb487a28c989a083caf2a3569d3cfbe  slsa-verifier-linux-arm64
+a8ea35a4abf450f3828d42cf0b9be3628692508184bec8610a472a7bf4afc843  slsa-verifier-windows-amd64.exe
+b14cd8228fecabe53e3676ec2d94b53d7aee11f6f5a8dabbe07e840143d48e8d  slsa-verifier-windows-arm64.exe
+
 ### [v2.3.0](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.3.0)

 44ae609925c2dddafa45b2f98da62b40abcf739bbbe6f9dc792f3aba6e236e9c slsa-verifier-darwin-amd64
--- a/actions/installer/README.md
+++ b/actions/installer/README.md
@@ -11,7 +11,7 @@ For more information about SLSA in general, see [https://slsa.dev](https://slsa.
 To install a specific version of `slsa-verifier`, use:

 ```yaml
-uses: slsa-framework/slsa-verifier/actions/installer@v2.3.0
+uses: slsa-framework/slsa-verifier/actions/installer@v2.4.0
 ```

 See https://github.com/slsa-framework/slsa-verifier/releases for the list of available `slsa-verifier` releases. Only versions greater or equal to 2.0.1 are supported.
--- a/verify-release.sh
+++ b/verify-release.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+set -euo pipefail
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 tag"
+    exit 1
+fi
+
+# Verify GH_TOKEN is set.
+if [[ -z "${GH_TOKEN:-}" ]]; then
+    echo "GH_TOKEN is unset"
+    exit 1
+fi
+
+# Set the gh CLI.
+if [[ -z "${GH:-}" ]]; then
+    GH="gh"
+fi
+
+dir=$(mktemp -d)
+tag="$1"
+
+mkdir -p "${dir}"
+rm -rf "${dir:?}/"* 2>/dev/null || true
+
+echo "INFO: using dir: ${dir}"
+echo
+
+# Download artifacts and provenance.
+cd "${dir}"
+"${GH}" release -R slsa-framework/slsa-verifier download "${tag}"
+cd -
+
+for file in "${dir}"/*; do 
+    if [[ "${file}" == *".intoto.jsonl" ]]; then
+        continue
+    fi
+    go run ./cli/slsa-verifier verify-artifact "${file}" --provenance-path "${file}".intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag "${tag}"
+done