Closed suzuki-shunsuke closed 11 months ago
ah yes, that is correct, we will need to update the workflows to trigger on a tag instead of via workflow_dispatch. From the slsa-verifier docs.
source-tag: Expects a tag like v0.0.1. Verifies exact tag used to create the binary. Supported for new tag and release triggers.
I see. I created a pull request to resolve the issue.
Thank you for releasing v0.9.6. https://github.com/xeol-io/xeol/releases/tag/v0.9.6
I confirmed it worked well.
With --source-tag
.
$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl xeol_0.9.6_darwin_amd64.tar.gz --source-uri=github.com/xeol-io/xeol --source-tag v0.9.6
Verified signature against tlog entry index 46062323 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa88a6a1f5d964cb49fe320aad0dd8405f525e511ec4effde4a20f8eab4aac9eb
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0 at commit 61495c864e29bb51a3bbb3cef928db6c57a2d386
Verifying artifact xeol_0.9.6_darwin_amd64.tar.gz: PASSED
PASSED: Verified SLSA provenance
Without --source-tag
.
$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl xeol_0.9.6_darwin_amd64.tar.gz --source-uri=github.com/xeol-io/xeol
Verified signature against tlog entry index 46062323 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa88a6a1f5d964cb49fe320aad0dd8405f525e511ec4effde4a20f8eab4aac9eb
Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0 at commit 61495c864e29bb51a3bbb3cef928db6c57a2d386
Verifying artifact xeol_0.9.6_darwin_amd64.tar.gz: PASSED
PASSED: Verified SLSA provenance
With invalid --source-tag
.
$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl xeol_0.9.6_darwin_amd64.tar.gz --source-uri=github.com/xeol-io/xeol --source-tag v0.9.5
Verified signature against tlog entry index 46062323 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa88a6a1f5d964cb49fe320aad0dd8405f525e511ec4effde4a20f8eab4aac9eb
Verifying artifact xeol_0.9.6_darwin_amd64.tar.gz: FAILED: expected tag 'refs/tags/v0.9.5', got 'refs/tags/v0.9.6': tag used to generate the binary does not match provenance
FAILED: SLSA verification failed: expected tag 'refs/tags/v0.9.5', got 'refs/tags/v0.9.6': tag used to generate the binary does not match provenance
Without
--source-tag
, slsa-verifier works well.But with
--source-tag
, slsa-verifier doesn't work well.Ideally, we should verify the version too.
I guess this is because the release workflow is triggered by not GitHub tag's push event but workflow_dispatch event.
https://github.com/xeol-io/xeol/blob/fe937f59f2ffc83923463725932200e9246eee72/.github/workflows/release.yaml#L3-L8