mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-02-14 09:39:54 +00:00
d23c97947e
How to LGTM this PR (I'll work on a proper doc for this in https://github.com/slsa-framework/slsa-github-generator/issues/112): 1. Clone repo ``` $ git clone git@github.com:slsa-framework/slsa-verifier.git $ cd slsa-verifier $ bash verify-release.sh v2.4.0 # NOTE: use the file in _this_ PR. # Note down the path to the temporary dir use. The bash script will print its first line as "INFO: using dir: /tmp/tmp.VaYi6HfbmL" ``` 2. Run command below and compare to SHA256SUM.md in this PR ``` $sha256sum /tmp/tmp.VaYi6HfbmL/* ``` The output hash should be the hash I'm updating to in this PR. If they match, LGTM. If they don't, someone tampered with the released binary and don't LGTM --------- Signed-off-by: laurentsimon <laurentsimon@google.com>
41 lines
785 B
Bash
41 lines
785 B
Bash
#!/bin/bash
|
|
|
|
set -euo pipefail
|
|
|
|
if [ "$#" -ne 1 ]; then
|
|
echo "Usage: $0 tag"
|
|
exit 1
|
|
fi
|
|
|
|
# Verify GH_TOKEN is set.
|
|
if [[ -z "${GH_TOKEN:-}" ]]; then
|
|
echo "GH_TOKEN is unset"
|
|
exit 1
|
|
fi
|
|
|
|
# Set the gh CLI.
|
|
if [[ -z "${GH:-}" ]]; then
|
|
GH="gh"
|
|
fi
|
|
|
|
dir=$(mktemp -d)
|
|
tag="$1"
|
|
|
|
mkdir -p "${dir}"
|
|
rm -rf "${dir:?}/"* 2>/dev/null || true
|
|
|
|
echo "INFO: using dir: ${dir}"
|
|
echo
|
|
|
|
# Download artifacts and provenance.
|
|
cd "${dir}"
|
|
"${GH}" release -R slsa-framework/slsa-verifier download "${tag}"
|
|
cd -
|
|
|
|
for file in "${dir}"/*; do
|
|
if [[ "${file}" == *".intoto.jsonl" ]]; then
|
|
continue
|
|
fi
|
|
go run ./cli/slsa-verifier verify-artifact "${file}" --provenance-path "${file}".intoto.jsonl --source-uri github.com/slsa-framework/slsa-verifier --source-tag "${tag}"
|
|
done
|