From c7200dda38c05b306fd507bbd1cc38e0e3e858e2 Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Sat, 13 Aug 2022 00:47:55 +0000
Subject: [PATCH] update

---
 .github/workflows/goreleaser.yaml | 2 +-
 docs/checks.md                    | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml
index 865fed582af6..563e2d3dc15a 100644
--- a/.github/workflows/goreleaser.yaml
+++ b/.github/workflows/goreleaser.yaml
@@ -82,4 +82,4 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
     with:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
-      upload-assets: true # upload to a new release
\ No newline at end of file
+      upload-assets: true # upload to a new release
diff --git a/docs/checks.md b/docs/checks.md
index b28b13de1f08..00376af1b85e 100644
--- a/docs/checks.md
+++ b/docs/checks.md
@@ -535,7 +535,10 @@ Signed releases attest to the provenance of the artifact.
 
 This check looks for the following filenames in the project's last five
 releases: [*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
-*.sig, *.sign.
+*.sig, *.sign, *.intoto.jsonl.
+
+If signatures are found for the releases, a score of 8 is given.
+If SLSA provenances are found for the releases, a maximum score of 10 is given.
 
 Note: The check does not verify the signatures.