Skip to content

Releases: Miranlfk/ballerina-distribution

2201.7.0

08 Aug 01:33
Compare
Choose a tag to compare

Ballerina uses sigstore/cosign for signing and verifying the release artifacts. The artifacts of the latest Ballerina Swan Lake update release along with their verification files are listed below.

Platform Installer Certificate Signature
Linux DEB ballerina-2201.7.0-swan-lake-linux-x64.deb ballerina-2201.7.0-swan-lake-linux-x64.deb.pem ballerina-2201.7.0-swan-lake-linux-x64.deb.sig
Linux RPM ballerina-2201.7.0-swan-lake-linux-x64.rpm ballerina-2201.7.0-swan-lake-linux-x64.rpm.pem ballerina-2201.7.0-swan-lake-linux-x64.rpm.sig
macOS ballerina-2201.7.0-swan-lake-macos-x64.pkg ballerina-2201.7.0-swan-lake-macos-x64.pkg.pem ballerina-2201.7.0-swan-lake-macos-x64.pkg.sig
macOS ARM ballerina-2201.7.0-swan-lake-macos-arm-x64.pkg ballerina-2201.7.0-swan-lake-macos-arm-x64.pkg.pem ballerina-2201.7.0-swan-lake-macos-arm-x64.pkg.sig
Windows ballerina-2201.7.0-swan-lake-windows-x64.msi ballerina-2201.7.0-swan-lake-windows-x64.msi.pem ballerina-2201.7.0-swan-lake-windows-x64.msi.sig

You can use one of the methods below to verify the above artifacts.

Verify using the Cosign CLI

Below is an example of using the Cosign CLI to verify the release artifacts of the MacOS platform.

Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.

Follow the steps below to verify the artifacts using the Cosign CLI.

  1. Download the desired artifact from the table above.

  2. Execute the command below to verify the artifacts.

    $ cosign verify-blob ballerina-2201.7.0-swan-lake-macos-x64.pkg --certificate ballerina-2201.7.0-swan-lake-macos-x64.pkg.pem --signature ballerina-2201.7.0-swan-lake-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/master --certificate-oidc-issuer=https://token.actions.githubusercontent.com
    

If the artifact matches the one signed by Cosign, you will receive the following message.

Verified OK

Verify using the Rekor API

The signatures applied on the Ballerina release artifacts are recorded in Rekor, which is a Sigstore Transparency Log. Below is an example of using the Rekor API to verify the release artifacts of the MacOS platform.

Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.

Follow the steps below to send an API call to Rekor to retrieve and verify the details of the signature and the certificate chain.

  1. Download the desired artifact from the table above.

  2. Generate an SHA256 Hash for the artifact and store it in a variable.

    $ SHASUM=$(shasum -a 256 ballerina-2201.7.0-swan-lake-macos-x64.pkg |awk '{print $1}')
    
  3. Invoke the Rekor API to retrieve the entry of the signature and store it as the UUID value.

    $ curl -X POST -H "Content-type: application/json" 'https://rekor.sigstore.dev/api/v1/index/retrieve' --data-raw "{\"hash\":\"sha256:$SHASUM\"}
    
  4. Assign the UUID returned by the above API call to a variable as shown below.

    Tip: Replace the <UUID_VALUE> in the below exmaple with the UUID value you recieved

    $ UUID=<UUID_VALUE>
    
  5. Retrieve the log entry of the artifact signature by sending an API call to Rekor with the assigned UUID variable.

     $ curl -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID?}"
    
  6. Retrieve the signature and public certificate, which are required to verify the artifact.

    • Retrieve the signature:

      $ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID?} \ | jq -r '.[] | .body' \ | base64 -d |jq -r '.spec .signature .content' \ | base64 -d > ballerina-2201.7.0-swan-lake-macos-x64.pkg.sig
      
    • Retrieve the certificate:

      $ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID?}" \ | jq -r '.[] | .body' \ | base64 -d |jq -r '.spec .signature .publicKey .content' \ | base64 -d > ballerina-2201.7.0-swan-lake-macos-x64.pkg.crt
      
  7. Extract the public key from the certificate file using openssl.

    $ openssl x509 -in ballerina-2201.7.0-swan-lake-macos-x64.pkg.crt -noout -pubkey > ballerina-2201.7.0-swan-lake-macos-x64.pkg.pubkey.crt
    
  8. Verify the artifact using the public key.

    $ openssl sha256 -verify ballerina-2201.7.0-swan-lake-macos-x64.pkg.pubkey.crt -signature ballerina-2201.7.0-swan-lake-macos-x64.pkg.sig ballerina-2201.7.0-swan-lake-macos-x64.pkg
    

If the artifact matches the one signed by Cosign, you will receive the following message.

Verified OK

2201.7.0-rc3

06 Jul 05:25
Compare
Choose a tag to compare
2201.7.0-rc3 Pre-release
Pre-release
v2201.7.0-rc3

Test 2

2201.7.0-rc2

28 Jun 05:26
Compare
Choose a tag to compare
2201.7.0-rc2 Pre-release
Pre-release
v2201.7.0-rc2

[Gradle Release Plugin] - creating tag:  'v2201.7.0-rc2'.

2201.7.0-rc1

27 Jun 11:30
Compare
Choose a tag to compare
2201.7.0-rc1 Pre-release
Pre-release
v2201.7.0-rc1

[Gradle Release Plugin] - creating tag:  'v2201.7.0-rc1'.

1.2.39

24 Jun 13:44
Compare
Choose a tag to compare
1.2.39 Pre-release
Pre-release
v1.2.39

[maven-release-plugin] copy for tag v1.2.39