Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: use tag for the builder in the release workflow #788

Merged
merged 1 commit into from
Jul 11, 2024

Conversation

ramonpetgrave64
Copy link
Contributor

The slsa-github-generator's workflow ref needs to be pinned by tag, not by hash.

Fixes this error

Verifying slsa-verifier-linux-arm64 using slsa-verifier-linux-arm64.intoto.jsonl
Verified signature against tlog entry index 110869188 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa9a66ae8969e055f85c9ec9e0ebbe52e4947cd33cf7b84af120088fe641b8e84
Verifying artifact slsa-verifier-linux-arm64: FAILED: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: ""

FAILED: SLSA verification failed: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: ""

The slsa-github-generator's workflow ref needs to be pinned by tag, not by hash.

Fixes this error

 - https://github.com/slsa-framework/slsa-verifier/actions/runs/9893912259/job/27330429383#step:4:17

```
Verifying slsa-verifier-linux-arm64 using slsa-verifier-linux-arm64.intoto.jsonl
Verified signature against tlog entry index 110869188 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa9a66ae8969e055f85c9ec9e0ebbe52e4947cd33cf7b84af120088fe641b8e84
Verifying artifact slsa-verifier-linux-arm64: FAILED: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: ""

FAILED: SLSA verification failed: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: ""
```

Signed-off-by: Ramon Petgrave <[email protected]>
@ramonpetgrave64
Copy link
Contributor Author

@laurentsimon @ianlewis

@ramonpetgrave64 ramonpetgrave64 changed the title fix: use tag for builder fix: use tag for the builder in the release workflow Jul 11, 2024
@ramonpetgrave64 ramonpetgrave64 merged commit 3714a2a into main Jul 11, 2024
20 checks passed
@ramonpetgrave64
Copy link
Contributor Author

Fixed now

Verifying slsa-verifier-linux-amd64 using slsa-verifier-linux-amd64.intoto.jsonl
Verified signature against tlog entry index 110903631 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77ae751a25ad3be26f7bbcf198364c2969a6b789de0abae1a4370ceb7a61b23588d
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v2.0.0" at commit 3714a2a4684014deb874a0e737dffa0ee02dd647
Verifying artifact slsa-verifier-linux-amd64: PASSED

PASSED: Verified SLSA provenance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants