search

xeol-io / xeol

A scanner for end-of-life (EOL) software and dependencies in container images, filesystems, and SBOMs
https://www.xeol.io/
Apache License 2.0
348 stars 21 forks source link

SLSA provenance missing from releases #419

Closed karends-cisco closed 3 weeks ago

karends-cisco commented 3 weeks ago

What happened: multiple.intoto.jsonl is missing from releases v0.9.14, v0.9.15, and v0.10.0.

What you expected to happen: multiple.intoto.jsonl is available to verify xeol using slsa-verifier.

How to reproduce it (as minimally and precisely as possible): n/a

Anything else we need to know?: n/a

Environment: n/a

noqcks commented 3 weeks ago

hey @karends-cisco sorry about that

the version of the slsa-verifier we were using v1.9.0 stopped working with sigstore and I didnt get around to fixing it. I just upgraded the version to 2.0.0 in https://github.com/xeol-io/xeol/pull/420 and slsa signatures are working again for version 0.10.1 of xeol.

slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl xeol_0.10.1_darwin_arm64.tar.gz --source-uri=github.com/xeol-io/xeol
Verified signature against tlog entry index 142695588 at URL: https://rekor.sigstore.dev/api/v1/log/entries/108e9186e8c5677ac925a6285e3607c7be343ad97e1d86fa4a1476950b95362d931c02d2e55dcd59
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0" at commit e9923921a3d31388787bb8f876fe3eed8823b206
Verifying artifact xeol_0.10.1_darwin_arm64.tar.gz: PASSED

PASSED: SLSA verification passed