github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-06 16:46:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
390d18a96c6075052f658cd111414c7fff67dfd6
slsa-verifier/RELEASE.md
asraa 588ddc4344 add v1.1.1 hash (#114) 
Signed-off-by: Asra Ali <asraa@google.com>
2022-06-29 17:39:18 +00:00

2.8 KiB
Raw Blame History

Releasing the verifier

This is a document to describe the release process for the verifier.

Publish release

Create a new tag for the official generator via slsa-framework/slsa-verifier/releases/new.

Use a "canonical" semantic version without metadata vX.Y.Z.

Set the title to vX.Y.Z.

Click Publish release.

This will trigger a release workflow: wait until it completes and generates the binary and the provenance.

Verify provenance

Follow the steps:

  1. Download the binary and provenance from https://github.com/slsa-verifier/slsa-verifier/releases/tag/vX.Y.Z

  2. Clone the slsa-verifier repo, compile and verify the provenance:

$ git clone git@github.com:slsa-framework/slsa-verifier.git
$ cd slsa-verifier
# $ (Optional: git checkout tags/v1.1.1)
$ go run . -artifact-path slsa-verifier-linux-amd64 -provenance slsa-verifier-linux-amd64.intoto.jsonl -source github.com/slsa-framework/slsa-verifier -tag vX.Y.Z

If the provenance verification fails, delete the release and the tag. Otherwise, continue.

Update documentation

Follow these steps:

  1. Compute the hash of the binary. One of the following commands will do:
$ cat slsa-verifier-linux-amd64.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.subject[0].digest.sha256'

or

$ sha256sum slsa-verifier-linux-amd64
  1. Add an additional entry at the top of SHA256SUM.md:
### [vX.Y.Z](https://github.com/slsa-framework/slsa-verifier/releases/tag/vX.Y.Z)
<the-hash>  slsa-verifier-linux-amd64
  1. Update the latest version in the README.md:
$ sed -i "s/v1.0.0/v1.1.1/g" ./README.md
  1. Send a pull request with the changes. In the description, explain the steps to verify the hash update, i.e., reviewers shoud LGTM only if the provenance verification succeeds and the hash in the pull request matches the one computed on the binary. You can use #slsa-framework/slsa-github-generator#113 as example.

Update builders

Send a similar pull request to update the hash and version of the verifier for the workflow slsa-framework/slsa-github-generator/blob/main/.github/workflows/builder_go_slsa3.yml#L30-L31. Explain the steps to verify the hash. If the pull request for the verifier is already merged, you can simply point to it instead.

Note: you need not cut a release for the generator, unless the verifier has important changes that are required for the builders to work properly.

Reference in New Issue View Git Blame Copy Permalink