Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: slsa-framework/slsa-verifier
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.7.0
Choose a base ref
...
head repository: slsa-framework/slsa-verifier
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.7.1-rc.1
Choose a head ref
  • 4 commits
  • 95 files changed
  • 3 contributors

Commits on Feb 10, 2025

  1. chore: Update docs for v2.7.0 (#829) 

    #label:release v2.7.0

Updates docs to reference the new v2.7.0 release.

**How to verify**

Clone the repo and run the script described in
https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#verify-provenance.
```
git clone git@github.com:slsa-framework/slsa-verifier.git
cd slsa-verifier
chmod +x verify-release.sh
GH_TOKEN=`gh auth token` bash verify-release.sh v2.7.0
```

Using the temp directory logged from the above command

```
cd <logged temp directory from running verify-release.sh>
sha256sum * | grep -v "intoto"      
36694b43ab23be234add09272e5faf77349d7e267bf65c01dc9bcdf58c4f496e  slsa-verifier-darwin-amd64
84d9122ce12e0c79080844285fd5c4976407ed3463e434a1b21b0979c46b1e55  slsa-verifier-darwin-arm64
499befb675efcca9001afe6e5156891b91e71f9c07ab120a8943979f85cc82e6  slsa-verifier-linux-amd64
dc3845d7605f666a0938389c1c5735230e50b32a547867ffd351fb14df928167  slsa-verifier-linux-arm64
61ff8b1cca6ac0012b0ba906367836f64a389444766be437df2a69f71285f43b  slsa-verifier-windows-amd64.exe
ddf58798049599c44caf299b6a9cf8a41760daa94ee208bdae8aa78fc75dcb2b  slsa-verifier-windows-arm64.exe
```

Confirm your output checksums matches those in this PR's changes for
SHA256SUM.md.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
    @ramonpetgrave64
    ramonpetgrave64 authored Feb 10, 2025
    Configuration menu
    Copy the full SHA
    9825851 View commit details
    Browse the repository at this point in the history

Commits on Feb 14, 2025

  1. docs(npm): "exmaple" spelling fix (#832) 

    Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>
    @scop
    scop authored Feb 14, 2025
    1 Configuration menu
    Copy the full SHA
    9108dc2 View commit details
    Browse the repository at this point in the history

Commits on Feb 27, 2025

  1. chore: update test files for v2.1.0 (#836) 

    Similar to #758, we are updating the test files.

Errors for checking the tag in attestations are slightly different. Unit
tests are adjusted with the new test cases.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
    @ramonpetgrave64
    ramonpetgrave64 authored Feb 27, 2025
    Configuration menu
    Copy the full SHA
    b53bd94 View commit details
    Browse the repository at this point in the history

Commits on Apr 10, 2025

  1. feat: verify provenance for bcr modules produced by trusted reusable … 

    …workflows (#840)

@fweikert these are the changes I think might be needed to get this to
work (it's somewhat hacky, I'm not sure I've fully covered what's
needed).

@ramonpetgrave64 is this kinda what's needed?

This now adds the `verify-github-attestation` sub command. Use this
instead of `verify-artifact`.

---------

Signed-off-by: Appu Goundan <appu@google.com>
Signed-off-by: Appu <appu@google.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
    @loosebazooka @ramonpetgrave64
    loosebazooka and ramonpetgrave64 authored Apr 10, 2025
    Configuration menu
    Copy the full SHA
    a481a19 View commit details
    Browse the repository at this point in the history
Loading