search

slsa-framework / slsa-verifier

Verify provenance from SLSA compliant builders
Apache License 2.0
216 stars 45 forks source link

feat: Digest for new release #722

Closed laurentsimon closed 8 months ago

laurentsimon commented 8 months ago

label:release v2.4.1

How to LGTM this PR:

Ensure you have installed the GitHub client from https://cli.github.com. If it is not installed in your PATH, set export GH=/path/to/your/gh

Set your export GH_TOKEN=...

Use verify-release.sh script in this repository:

bash verify-release v2.4.1

Once it completes, you will see the last line Verifying artifact /tmp/tmp.SomeRanDOm/ and do:

sha256sum /tmp/tmp.SomeRanDOm/* | grep -v intoto

This will print out the hashes. Compare them to the changes in this PR

laurentsimon commented 8 months ago

NOTE: The pre-submit were failing due to an older version of Go compiler, so I've updated from 1.18 to 1.20 in this PR