Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

review: doc: add SUPPLY-CHAIN.md #6063

Merged
merged 5 commits into from
Nov 13, 2024
Merged

review: doc: add SUPPLY-CHAIN.md #6063

Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e96712d
doc: add SUPPLY-CHAIN.md
ludvigch Nov 10, 2024
e9df9e4
doc: remove manual verification guide
ludvigch Nov 12, 2024
67f7920
Update SUPPLY-CHAIN.md
monperrus Nov 13, 2024
c8a6f76
Update SUPPLY-CHAIN.md
monperrus Nov 13, 2024
e614e34
up
monperrus Nov 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions SUPPLY-CHAIN.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# Supply chain
## Attest build artifacts
The Spoon CI/CD pipeline attests all released artifacts by publishing attestations to the [sigstore/rekor](https://www.sigstore.dev/) public-good instance as well as storing them in the [Spoon repository](https://github.com/INRIA/spoon/attestations). Attestations are published using Github's [attest-build-provenance](https://github.com/actions/attest-build-provenance) action as a step in the [jreleaser job](https://github.com/ludvigch/spoon/blob/master/.github/workflows/jreleaser.yml). A list of the attestations created in a release can be found in the summary of the job and links sigstore/rekor for each attestation can be found in the log of the jreleaser job.

## Verifying attestations

The most straight-forward approach is to use GitHub CLI's [`gh attestation verify`](https://cli.github.com/manual/gh_attestation_verify) to verify the attestation of an artifact by running:

`gh attestation verify <artifact-name>.jar -R INRIA/spoon`

For example, let's verify the [spoon-core-11.1.1-beta-11-jar-with-dependencies.jar](https://repo1.maven.org/maven2/fr/inria/gforge/spoon/spoon-core/11.1.1-beta-11/spoon-core-11.1.1-beta-11-jar-with-dependencies.jar) artifact.

### Alternative 1: Using GitHub API

`gh attestation verify spoon-core-11.1.1-beta-11-jar-with-dependencies.jar -R INRIA/spoon`

Output:
```
Loaded digest sha256:804c2ab449cc16052b467edc3ab1f7cf931f8e679685c0e16fab2fcc16ecfb41 for file://spoon-core-11.1.1-beta-11-jar-with-dependencies.jar
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:804c2ab449cc16052b467edc3ab1f7cf931f8e679685c0e16fab2fcc16ecfb41 was attested by:
REPO PREDICATE_TYPE WORKFLOW
INRIA/spoon https://slsa.dev/provenance/v1 .github/workflows/jreleaser.yml@refs/heads/master

```

### Alternative 2: Using a downloaded attestation

[Dowload the attestation.](https://github.com/INRIA/spoon/attestations/2750640/download)

`gh attestation verify spoon-core-11.1.1-beta-11-jar-with-dependencies.jar -R INRIA/spoon --bundle ./INRIA-spoon-attestation-2750640.sigstore.json`

Output:
```
Loaded digest sha256:804c2ab449cc16052b467edc3ab1f7cf931f8e679685c0e16fab2fcc16ecfb41 for file://spoon-core-11.1.1-beta-11-jar-with-dependencies.jar
Loaded 1 attestation from INRIA-spoon-attestation-2750640.sigstore.json
✓ Verification succeeded!

sha256:804c2ab449cc16052b467edc3ab1f7cf931f8e679685c0e16fab2fcc16ecfb41 was attested by:
REPO PREDICATE_TYPE WORKFLOW
INRIA/spoon https://slsa.dev/provenance/v1 .github/workflows/jreleaser.yml@refs/heads/master

```
Loading