mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-05-07 09:06:35 +00:00
f315652a8c
This sets the expected sha256 of the v2.5.1 slsa-verifier released binary. How to LGTM this PR (I'll work on a proper doc for this in https://github.com/slsa-framework/slsa-github-generator/issues/112): 1. Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v0.0.1 2. Clone the slsa-verifier repo, compile and verify the provenance using the steps described in https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#verify-provenance ``` $ git clone git@github.com:slsa-framework/slsa-verifier.git $ cd slsa-verifier $ bash verify-release.sh v2.5.1 ``` The output hash should be the hash I'm updating to in this PR. If they match, LGTM. If they don't, someone tampered with the released binary and don't LGTM --------- Signed-off-by: laurentsimon <laurentsimon@google.com>