From 4d2ad530e7bf8ebdb232be1ec0cba638771b3b4a Mon Sep 17 00:00:00 2001 From: Viacheslav Kudinov Date: Thu, 30 Oct 2025 00:13:52 +0100 Subject: [PATCH 01/21] Add GH attestation on release Signed-off-by: Viacheslav Kudinov --- .github/workflows/release.yml | 5 ++++ VERIFY_ATTESTATIONS.md | 45 +++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 VERIFY_ATTESTATIONS.md diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ed7fd14b51..2d2730c446 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,3 +43,8 @@ jobs: # GitHub sets the GITHUB_TOKEN secret automatically. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + + - name: Generate artifact attestations + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + with: + subject-path: 'dist/terraform-provider-github_*.zip' \ No newline at end of file diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md new file mode 100644 index 0000000000..edfce3c0cc --- /dev/null +++ b/VERIFY_ATTESTATIONS.md @@ -0,0 +1,45 @@ +## Using artifact attestations to achieve SLSA v1 Build Level 3 + +This project started to use GitHub Action to create attestations for the release artifacts. Building software with artifact attestation streamlines supply chain security and helps us achieve [SLSA](https://slsa.dev/) v1.0 Build Level 3 for this project. + +### Verifying artifact attestations built with a reusable workflow + +To verify artifact attestations generated during the build process, use the `gh attestation verify` command from the GitHub CLI. + +The `gh attestation verify` command requires either `--owner` or `--repo` flags to be used with it. + +> [!NOTE] +> Make sure to replace X.Y.Z with the actual release tag you want to verify. + +> [!WARNING] +> Not all artifacts may have attestations generated for them. Please check the [attestations](https://github.com/integrations/terraform-provider-github/attestations) page for this repository to see which artifacts have attestations available. + +Download the release artifacts first: + +```bash +gh release download vX.Y.Z -R integrations/terraform-provider-github -p "*.zip" +``` + +To verify the artifact attestations for this project, you can run the following command: + +```bash +gh attestation verify --repo integrations/terraform-provider-github terraform-provider-github_X.Y.Z_darwin_amd64.zip +``` + +### Using optional flags + +The `gh attestation verify` command supports additional flags for more specific verification: + +Use the `--signer-repo` flag to specify the repository: + +```bash +gh attestation verify --owner integrations --signer-repo integrations/terraform-provider-github \ +terraform-provider-github_X.Y.Z_darwin_amd64.zip +``` + +If you would like to require an artifact attestation to be signed with a specific workflow, use the `--signer-workflow` flag to indicate the workflow file that should be used. + +```bash +gh attestation verify --owner integrations --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yml \ +terraform-provider-github_X.Y.Z_darwin_amd64.zip +``` From 8ce65809c7ada5c2bc2a93b07169b6b411f6148d Mon Sep 17 00:00:00 2001 From: Viacheslav Kudinov Date: Mon, 8 Dec 2025 14:53:48 +0100 Subject: [PATCH 02/21] Add information that attestations are available sine v6.9.0 Signed-off-by: Viacheslav Kudinov --- VERIFY_ATTESTATIONS.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index edfce3c0cc..f1d8372497 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -14,10 +14,13 @@ The `gh attestation verify` command requires either `--owner` or `--repo` flags > [!WARNING] > Not all artifacts may have attestations generated for them. Please check the [attestations](https://github.com/integrations/terraform-provider-github/attestations) page for this repository to see which artifacts have attestations available. +> [!CAUTION] +> The attestations are available only for releases created since the version `v6.9.0` of this project. + Download the release artifacts first: ```bash -gh release download vX.Y.Z -R integrations/terraform-provider-github -p "*.zip" +gh release download vX.Y.Z --repo integrations/terraform-provider-github -p "*.zip" ``` To verify the artifact attestations for this project, you can run the following command: From 00de37c3cea2f5d34c3c71c207a68405b55fe8fa Mon Sep 17 00:00:00 2001 From: Viacheslav Kudinov Date: Wed, 10 Dec 2025 22:43:40 +0100 Subject: [PATCH 03/21] Add Cosign verification --- VERIFY_ATTESTATIONS.md | 91 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 78 insertions(+), 13 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index f1d8372497..2e6716d103 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -1,8 +1,20 @@ -## Using artifact attestations to achieve SLSA v1 Build Level 3 +# Using artifact attestations to achieve SLSA v1 Build Level 3 This project started to use GitHub Action to create attestations for the release artifacts. Building software with artifact attestation streamlines supply chain security and helps us achieve [SLSA](https://slsa.dev/) v1.0 Build Level 3 for this project. -### Verifying artifact attestations built with a reusable workflow +## Verifying release artifacts attestations with GitHub CLI + +> [!WARNING] +> Not all artifacts may have attestations generated for them. Please check the [attestations](https://github.com/integrations/terraform-provider-github/attestations) page for this repository to see which artifacts have attestations available. + +> [!CAUTION] +> The attestations are available only for the releases created since the version `v6.9.0` of this project. + +### Prerequisites + +First, install GitHub CLI if you haven't already. See the [installation instructions](https://github.com/cli/cli#installation) for your platform. + +### Verifying attestations To verify artifact attestations generated during the build process, use the `gh attestation verify` command from the GitHub CLI. @@ -11,12 +23,6 @@ The `gh attestation verify` command requires either `--owner` or `--repo` flags > [!NOTE] > Make sure to replace X.Y.Z with the actual release tag you want to verify. -> [!WARNING] -> Not all artifacts may have attestations generated for them. Please check the [attestations](https://github.com/integrations/terraform-provider-github/attestations) page for this repository to see which artifacts have attestations available. - -> [!CAUTION] -> The attestations are available only for releases created since the version `v6.9.0` of this project. - Download the release artifacts first: ```bash @@ -26,7 +32,8 @@ gh release download vX.Y.Z --repo integrations/terraform-provider-github -p "*.z To verify the artifact attestations for this project, you can run the following command: ```bash -gh attestation verify --repo integrations/terraform-provider-github terraform-provider-github_X.Y.Z_darwin_amd64.zip +gh attestation verify --repo integrations/terraform-provider-github \ + terraform-provider-github_X.Y.Z_darwin_amd64.zip ``` ### Using optional flags @@ -36,13 +43,71 @@ The `gh attestation verify` command supports additional flags for more specific Use the `--signer-repo` flag to specify the repository: ```bash -gh attestation verify --owner integrations --signer-repo integrations/terraform-provider-github \ -terraform-provider-github_X.Y.Z_darwin_amd64.zip +gh attestation verify --owner integrations --signer-repo \ + integrations/terraform-provider-github \ + terraform-provider-github_X.Y.Z_darwin_amd64.zip ``` If you would like to require an artifact attestation to be signed with a specific workflow, use the `--signer-workflow` flag to indicate the workflow file that should be used. ```bash -gh attestation verify --owner integrations --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yml \ -terraform-provider-github_X.Y.Z_darwin_amd64.zip +gh attestation verify --owner integrations --signer-workflow \ + integrations/terraform-provider-github/.github/workflows/release.yaml \ + terraform-provider-github_X.Y.Z_darwin_amd64.zip +``` + +## Verifying release artifacts with Cosign + +> [!WARNING] +> Not all the releases may have Cosign signature for the checksum files. + +> [!CAUTION] +> The Cosign signatures are available only for the releases created since the version `v6.9.0` of this project. + +In addition to artifact attestations, you can verify release artifacts using [Cosign](https://docs.sigstore.dev/cosign/overview/). Cosign is a tool for signing and verifying software artifacts and container images. + +### Prerequisites + +First, install Cosign if you haven't already. See the [installation instructions](https://docs.sigstore.dev/cosign/system_config/installation/) for your platform. + +### Verify checksums file + +> [!NOTE] +> Make sure to replace X.Y.Z with the actual release tag you want to verify. + +Download the checksums file and its signature bundle: + +```bash +gh release download vX.Y.Z --repo integrations/terraform-provider-github \ + -p "terraform-provider-github_X.Y.Z_SHA256SUMS" \ + -p "terraform-provider-github_X.Y.Z_SHA256SUMS.sbom.json.bundle" +``` + +Verify the checksums file signature: + +```bash +cosign verify-blob \ + --bundle terraform-provider-github_X.Y.Z_SHA256SUMS.sbom.json.bundle \ + --certificate-identity-regexp "^https://github.com/integrations/terraform-provider-github" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + terraform-provider-github_X.Y.Z_SHA256SUMS ``` + +### Verify artifact checksums + +After verifying the checksums file, verify your downloaded artifacts match the checksums: + +Download the artifact you want to verify: + +```bash +gh release download vX.Y.Z --repo integrations/terraform-provider-github \ + -p "terraform-provider-github_X.Y.Z_darwin_amd64.zip" +``` + +Verify the checksum: + +```bash +shasum -a 256 -c terraform-provider-github_X.Y.Z_SHA256SUMS --ignore-missing +``` + +This will verify that your downloaded artifact matches the signed checksum, confirming its integrity and authenticity. From d032e0a085219035d2be2aa8dc3a8df9c1506824 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 12 Dec 2025 17:11:08 +0100 Subject: [PATCH 04/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 2e6716d103..a2f0642bc1 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -26,7 +26,8 @@ The `gh attestation verify` command requires either `--owner` or `--repo` flags Download the release artifacts first: ```bash -gh release download vX.Y.Z --repo integrations/terraform-provider-github -p "*.zip" +version="x.y.z" +gh release download "v${version}" --repo integrations/terraform-provider-github -p "*.zip" ``` To verify the artifact attestations for this project, you can run the following command: From 199e2e67c51d654a513991dcdb98e736373952f9 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 12 Dec 2025 17:12:15 +0100 Subject: [PATCH 05/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index a2f0642bc1..cf1a4a2f50 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -33,8 +33,9 @@ gh release download "v${version}" --repo integrations/terraform-provider-github To verify the artifact attestations for this project, you can run the following command: ```bash -gh attestation verify --repo integrations/terraform-provider-github \ - terraform-provider-github_X.Y.Z_darwin_amd64.zip +gh attestation verify --repo integrations/terraform-provider-github --source-ref "v${version}"\ + --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml \ + "terraform-provider-github_X.Y.Z_darwin_amd64.zip" ``` ### Using optional flags From 3e4e256b09cbb405b1e3af355033882d9176e29b Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 12 Dec 2025 17:13:31 +0100 Subject: [PATCH 06/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index cf1a4a2f50..03a0c7ca10 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -89,10 +89,10 @@ Verify the checksums file signature: ```bash cosign verify-blob \ - --bundle terraform-provider-github_X.Y.Z_SHA256SUMS.sbom.json.bundle \ - --certificate-identity-regexp "^https://github.com/integrations/terraform-provider-github" \ + --bundle "terraform-provider-github_${version}_SHA256SUMS.sbom.json.bundle" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - terraform-provider-github_X.Y.Z_SHA256SUMS + --certificate-identity "https://github.com/integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version}" \ + "terraform-provider-github_${version}_SHA256SUMS" ``` ### Verify artifact checksums From a03b298f0b9ab2d227fbf815b70e26214b833014 Mon Sep 17 00:00:00 2001 From: Viacheslav Kudinov Date: Fri, 12 Dec 2025 17:17:37 +0100 Subject: [PATCH 07/21] Use ${version} in all the commands Signed-off-by: Viacheslav Kudinov --- VERIFY_ATTESTATIONS.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 03a0c7ca10..9801559c1a 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -21,7 +21,7 @@ To verify artifact attestations generated during the build process, use the `gh The `gh attestation verify` command requires either `--owner` or `--repo` flags to be used with it. > [!NOTE] -> Make sure to replace X.Y.Z with the actual release tag you want to verify. +> Make sure to replace x.y.z with the actual release tag you want to verify. Download the release artifacts first: @@ -35,7 +35,7 @@ To verify the artifact attestations for this project, you can run the following ```bash gh attestation verify --repo integrations/terraform-provider-github --source-ref "v${version}"\ --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml \ - "terraform-provider-github_X.Y.Z_darwin_amd64.zip" + "terraform-provider-github_${version}_darwin_amd64.zip" ``` ### Using optional flags @@ -47,7 +47,7 @@ Use the `--signer-repo` flag to specify the repository: ```bash gh attestation verify --owner integrations --signer-repo \ integrations/terraform-provider-github \ - terraform-provider-github_X.Y.Z_darwin_amd64.zip + terraform-provider-github_${version}_darwin_amd64.zip ``` If you would like to require an artifact attestation to be signed with a specific workflow, use the `--signer-workflow` flag to indicate the workflow file that should be used. @@ -55,7 +55,7 @@ If you would like to require an artifact attestation to be signed with a specifi ```bash gh attestation verify --owner integrations --signer-workflow \ integrations/terraform-provider-github/.github/workflows/release.yaml \ - terraform-provider-github_X.Y.Z_darwin_amd64.zip + terraform-provider-github_${version}_darwin_amd64.zip ``` ## Verifying release artifacts with Cosign @@ -80,9 +80,9 @@ First, install Cosign if you haven't already. See the [installation instructions Download the checksums file and its signature bundle: ```bash -gh release download vX.Y.Z --repo integrations/terraform-provider-github \ - -p "terraform-provider-github_X.Y.Z_SHA256SUMS" \ - -p "terraform-provider-github_X.Y.Z_SHA256SUMS.sbom.json.bundle" +gh release download v${version} --repo integrations/terraform-provider-github \ + -p "terraform-provider-github_${version}_SHA256SUMS" \ + -p "terraform-provider-github_${version}_SHA256SUMS.sbom.json.bundle" ``` Verify the checksums file signature: @@ -102,14 +102,14 @@ After verifying the checksums file, verify your downloaded artifacts match the c Download the artifact you want to verify: ```bash -gh release download vX.Y.Z --repo integrations/terraform-provider-github \ - -p "terraform-provider-github_X.Y.Z_darwin_amd64.zip" +gh release download v${version} --repo integrations/terraform-provider-github \ + -p "terraform-provider-github_${version}_darwin_amd64.zip" ``` Verify the checksum: ```bash -shasum -a 256 -c terraform-provider-github_X.Y.Z_SHA256SUMS --ignore-missing +shasum -a 256 -c terraform-provider-github_${version}_SHA256SUMS --ignore-missing ``` This will verify that your downloaded artifact matches the signed checksum, confirming its integrity and authenticity. From c9bb5b6f1a6b912795e0d415a8f6aae5a545fd60 Mon Sep 17 00:00:00 2001 From: Viacheslav Kudinov Date: Fri, 12 Dec 2025 19:27:51 +0100 Subject: [PATCH 08/21] Add Cosign attestation verification --- VERIFY_ATTESTATIONS.md | 109 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 99 insertions(+), 10 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 9801559c1a..a92e42cf92 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -27,17 +27,30 @@ Download the release artifacts first: ```bash version="x.y.z" -gh release download "v${version}" --repo integrations/terraform-provider-github -p "*.zip" +gh release download "v${version}" --repo integrations/terraform-provider-github -p "*.zip" --clobber ``` To verify the artifact attestations for this project, you can run the following command: ```bash -gh attestation verify --repo integrations/terraform-provider-github --source-ref "v${version}"\ - --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml \ +gh attestation verify --repo integrations/terraform-provider-github --source-ref "refs/tags/v${version}"\ + --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version} \ "terraform-provider-github_${version}_darwin_amd64.zip" ``` +### Verifying all artifacts at once + +Alternatively, you can verify all downloaded artifacts with a loop that provides individual status reporting: + +```bash +for artifact in terraform-provider-github_${version}_*.zip; do + echo "Verifying: $artifact" + gh attestation verify --repo integrations/terraform-provider-github --source-ref "refs/tags/v${version}" \ + --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version} \ + "$artifact" && echo "✓ Verified" || echo "✗ Failed" +done +``` + ### Using optional flags The `gh attestation verify` command supports additional flags for more specific verification: @@ -54,11 +67,11 @@ If you would like to require an artifact attestation to be signed with a specifi ```bash gh attestation verify --owner integrations --signer-workflow \ - integrations/terraform-provider-github/.github/workflows/release.yaml \ + integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version} \ terraform-provider-github_${version}_darwin_amd64.zip ``` -## Verifying release artifacts with Cosign +## Verifying checksums file signature with Cosign and checking artifact integrity > [!WARNING] > Not all the releases may have Cosign signature for the checksum files. @@ -74,15 +87,12 @@ First, install Cosign if you haven't already. See the [installation instructions ### Verify checksums file -> [!NOTE] -> Make sure to replace X.Y.Z with the actual release tag you want to verify. - Download the checksums file and its signature bundle: ```bash gh release download v${version} --repo integrations/terraform-provider-github \ -p "terraform-provider-github_${version}_SHA256SUMS" \ - -p "terraform-provider-github_${version}_SHA256SUMS.sbom.json.bundle" + -p "terraform-provider-github_${version}_SHA256SUMS.sbom.json.bundle" --clobber ``` Verify the checksums file signature: @@ -103,7 +113,7 @@ Download the artifact you want to verify: ```bash gh release download v${version} --repo integrations/terraform-provider-github \ - -p "terraform-provider-github_${version}_darwin_amd64.zip" + -p "terraform-provider-github_${version}_darwin_amd64.zip" --clobber ``` Verify the checksum: @@ -113,3 +123,82 @@ shasum -a 256 -c terraform-provider-github_${version}_SHA256SUMS --ignore-missin ``` This will verify that your downloaded artifact matches the signed checksum, confirming its integrity and authenticity. + +## Verifying SLSA Provenance Attestations with Cosign + +In addition to using the GitHub CLI, you can verify SLSA provenance attestations using Cosign by downloading the attestation and verifying it against your local artifact. + +### Prerequisites + +1. Install `cosign` for verifying attestations. See the [installation instructions](https://docs.sigstore.dev/cosign/system_config/installation/). +2. Install `gh` (GitHub CLI) if you haven't already. See the [installation instructions](https://github.com/cli/cli#installation). + +### Download and verify attestation + +> [!NOTE] +> Make sure to replace x.y.z with the actual release tag you want to verify. + +> [!CAUTION] +> The attestations are available only for the releases created since the version `v6.9.0` of this project. + +First, download the artifact you want to verify: + +```bash +version="x.y.z" +gh release download "v${version}" --repo integrations/terraform-provider-github \ + -p "terraform-provider-github_${version}_darwin_amd64.zip" --clobber +``` + +Then, download the attestation associated with the artifact: + +```bash +gh attestation download "terraform-provider-github_${version}_darwin_amd64.zip" \ + --repo integrations/terraform-provider-github +``` + +This will create a file named `sha256:[digest].jsonl` in the current directory. + +Verify the attestation using Cosign: + +```bash +# Calculate the digest and verify using the specific bundle file +digest=$(shasum -a 256 "terraform-provider-github_${version}_darwin_amd64.zip" | awk '{ print $1 }') +cosign verify-blob-attestation \ + --bundle "sha256:${digest}.jsonl" \ + --new-bundle-format \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-identity "https://github.com/integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version}" \ + "terraform-provider-github_${version}_darwin_amd64.zip" +``` + +A successful verification will output `Verified OK`, confirming that the artifact was built by the trusted GitHub Actions workflow and its provenance is securely recorded. + +### Verifying all release artifacts + +To verify all release artifacts for a specific version: + +```bash +version="x.y.z" + +# Download all release artifacts +gh release download "v${version}" --repo integrations/terraform-provider-github -p "*.zip" --clobber + +# Download attestations for all artifacts +for artifact in terraform-provider-github_${version}_*.zip; do + gh attestation download "$artifact" --repo integrations/terraform-provider-github +done + +# Verify all artifacts using specific digest-based bundle files +for artifact in terraform-provider-github_${version}_*.zip; do + echo "Verifying: $artifact" + digest=$(shasum -a 256 "$artifact" | awk '{ print $1 }') + cosign verify-blob-attestation \ + --bundle "sha256:${digest}.jsonl" \ + --new-bundle-format \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-identity "https://github.com/integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version}" \ + "$artifact" > /dev/null && echo "✓ Verified" || echo "✗ Failed" +done +``` + +This approach calculates the digest for each artifact and uses the corresponding specific bundle file, ensuring each artifact is verified against its own attestation. From dd90136d85917f07a31eb36aa4b178c16409b324 Mon Sep 17 00:00:00 2001 From: Viacheslav Kudinov Date: Mon, 22 Dec 2025 12:04:55 +0100 Subject: [PATCH 09/21] Use artifact variable Signed-off-by: Viacheslav Kudinov --- VERIFY_ATTESTATIONS.md | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index a92e42cf92..fbb563da6f 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -22,11 +22,14 @@ The `gh attestation verify` command requires either `--owner` or `--repo` flags > [!NOTE] > Make sure to replace x.y.z with the actual release tag you want to verify. +> Replace artifact name with the actual artifact you want to verify. Download the release artifacts first: ```bash version="x.y.z" +artifact="terraform-provider-github_${version}_darwin_amd64.zip" + gh release download "v${version}" --repo integrations/terraform-provider-github -p "*.zip" --clobber ``` @@ -35,7 +38,7 @@ To verify the artifact attestations for this project, you can run the following ```bash gh attestation verify --repo integrations/terraform-provider-github --source-ref "refs/tags/v${version}"\ --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version} \ - "terraform-provider-github_${version}_darwin_amd64.zip" + "$artifact" ``` ### Verifying all artifacts at once @@ -60,7 +63,7 @@ Use the `--signer-repo` flag to specify the repository: ```bash gh attestation verify --owner integrations --signer-repo \ integrations/terraform-provider-github \ - terraform-provider-github_${version}_darwin_amd64.zip + "$artifact" ``` If you would like to require an artifact attestation to be signed with a specific workflow, use the `--signer-workflow` flag to indicate the workflow file that should be used. @@ -68,7 +71,7 @@ If you would like to require an artifact attestation to be signed with a specifi ```bash gh attestation verify --owner integrations --signer-workflow \ integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version} \ - terraform-provider-github_${version}_darwin_amd64.zip + "$artifact" ``` ## Verifying checksums file signature with Cosign and checking artifact integrity @@ -112,8 +115,9 @@ After verifying the checksums file, verify your downloaded artifacts match the c Download the artifact you want to verify: ```bash +artifact="terraform-provider-github_${version}_darwin_amd64.zip" gh release download v${version} --repo integrations/terraform-provider-github \ - -p "terraform-provider-github_${version}_darwin_amd64.zip" --clobber + -p "$artifact" --clobber ``` Verify the checksum: @@ -137,6 +141,7 @@ In addition to using the GitHub CLI, you can verify SLSA provenance attestations > [!NOTE] > Make sure to replace x.y.z with the actual release tag you want to verify. +> Replace artifact name with the actual artifact you want to verify. > [!CAUTION] > The attestations are available only for the releases created since the version `v6.9.0` of this project. @@ -145,14 +150,16 @@ First, download the artifact you want to verify: ```bash version="x.y.z" +artifact="terraform-provider-github_${version}_darwin_amd64.zip" + gh release download "v${version}" --repo integrations/terraform-provider-github \ - -p "terraform-provider-github_${version}_darwin_amd64.zip" --clobber + -p "$artifact" --clobber ``` Then, download the attestation associated with the artifact: ```bash -gh attestation download "terraform-provider-github_${version}_darwin_amd64.zip" \ +gh attestation download "$artifact" \ --repo integrations/terraform-provider-github ``` @@ -162,13 +169,13 @@ Verify the attestation using Cosign: ```bash # Calculate the digest and verify using the specific bundle file -digest=$(shasum -a 256 "terraform-provider-github_${version}_darwin_amd64.zip" | awk '{ print $1 }') +digest=$(shasum -a 256 "$artifact" | awk '{ print $1 }') cosign verify-blob-attestation \ --bundle "sha256:${digest}.jsonl" \ --new-bundle-format \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity "https://github.com/integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version}" \ - "terraform-provider-github_${version}_darwin_amd64.zip" + "$artifact" ``` A successful verification will output `Verified OK`, confirming that the artifact was built by the trusted GitHub Actions workflow and its provenance is securely recorded. From a1082cb25ddc2b6646c65f653e80be0b540e9a44 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 16 Jan 2026 18:36:56 +0100 Subject: [PATCH 10/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index fbb563da6f..83d95605bb 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -2,13 +2,12 @@ This project started to use GitHub Action to create attestations for the release artifacts. Building software with artifact attestation streamlines supply chain security and helps us achieve [SLSA](https://slsa.dev/) v1.0 Build Level 3 for this project. -## Verifying release artifacts attestations with GitHub CLI - -> [!WARNING] -> Not all artifacts may have attestations generated for them. Please check the [attestations](https://github.com/integrations/terraform-provider-github/attestations) page for this repository to see which artifacts have attestations available. +> [!INFO] +> Not all artifacts may have attestations generated for them. Please check the [repository attestations](https://github.com/integrations/terraform-provider-github/attestations) to see which artifacts have attestations available. +> +> Attestations are only available for releases from `v6.9.0`. -> [!CAUTION] -> The attestations are available only for the releases created since the version `v6.9.0` of this project. +## Verifying release artifacts attestations with GitHub CLI ### Prerequisites From 58a7f7ec569de135d85ee03a4a361dc8ede5f353 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 16 Jan 2026 18:37:03 +0100 Subject: [PATCH 11/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 83d95605bb..50aeaa8609 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -13,7 +13,7 @@ This project started to use GitHub Action to create attestations for the release First, install GitHub CLI if you haven't already. See the [installation instructions](https://github.com/cli/cli#installation) for your platform. -### Verifying attestations +### Verifying Attestations To verify artifact attestations generated during the build process, use the `gh attestation verify` command from the GitHub CLI. From 1c5420e8ba2eb7330e0965660271af3a389e6e8b Mon Sep 17 00:00:00 2001 From: Viacheslav Kudinov Date: Fri, 16 Jan 2026 18:48:45 +0100 Subject: [PATCH 12/21] Update headings and blockquote --- VERIFY_ATTESTATIONS.md | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 50aeaa8609..94356b5949 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -1,13 +1,13 @@ -# Using artifact attestations to achieve SLSA v1 Build Level 3 +# Using artifact Attestations to achieve SLSA v1 Build Level 3 This project started to use GitHub Action to create attestations for the release artifacts. Building software with artifact attestation streamlines supply chain security and helps us achieve [SLSA](https://slsa.dev/) v1.0 Build Level 3 for this project. -> [!INFO] +> [!NOTE] > Not all artifacts may have attestations generated for them. Please check the [repository attestations](https://github.com/integrations/terraform-provider-github/attestations) to see which artifacts have attestations available. > > Attestations are only available for releases from `v6.9.0`. -## Verifying release artifacts attestations with GitHub CLI +## Verifying release artifacts Attestations with GitHub CLI ### Prerequisites @@ -75,11 +75,10 @@ gh attestation verify --owner integrations --signer-workflow \ ## Verifying checksums file signature with Cosign and checking artifact integrity -> [!WARNING] -> Not all the releases may have Cosign signature for the checksum files. - -> [!CAUTION] -> The Cosign signatures are available only for the releases created since the version `v6.9.0` of this project. +> [!NOTE] +> Not all artifacts may have attestations generated for them. Please check the [repository attestations](https://github.com/integrations/terraform-provider-github/attestations) to see which artifacts have attestations available. +> +> Attestations are only available for releases from `v6.9.0`. In addition to artifact attestations, you can verify release artifacts using [Cosign](https://docs.sigstore.dev/cosign/overview/). Cosign is a tool for signing and verifying software artifacts and container images. @@ -136,14 +135,16 @@ In addition to using the GitHub CLI, you can verify SLSA provenance attestations 1. Install `cosign` for verifying attestations. See the [installation instructions](https://docs.sigstore.dev/cosign/system_config/installation/). 2. Install `gh` (GitHub CLI) if you haven't already. See the [installation instructions](https://github.com/cli/cli#installation). -### Download and verify attestation +### Download and verify Attestation > [!NOTE] > Make sure to replace x.y.z with the actual release tag you want to verify. > Replace artifact name with the actual artifact you want to verify. -> [!CAUTION] -> The attestations are available only for the releases created since the version `v6.9.0` of this project. +> [!NOTE] +> Not all artifacts may have attestations generated for them. Please check the [repository attestations](https://github.com/integrations/terraform-provider-github/attestations) to see which artifacts have attestations available. +> +> Attestations are only available for releases from `v6.9.0`. First, download the artifact you want to verify: From c6d03e4d5662296c09dce742857e6f5f4933e779 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 16 Jan 2026 20:47:22 +0100 Subject: [PATCH 13/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 94356b5949..1134dd1c85 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -1,4 +1,4 @@ -# Using artifact Attestations to achieve SLSA v1 Build Level 3 +# Using Artifact Attestations to Achieve SLSA v1 Build Level 3 This project started to use GitHub Action to create attestations for the release artifacts. Building software with artifact attestation streamlines supply chain security and helps us achieve [SLSA](https://slsa.dev/) v1.0 Build Level 3 for this project. From b30fff1fed6f1ec9291d32a03be29ce2d46313d0 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 16 Jan 2026 20:47:30 +0100 Subject: [PATCH 14/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 1134dd1c85..0213b963a6 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -7,7 +7,7 @@ This project started to use GitHub Action to create attestations for the release > > Attestations are only available for releases from `v6.9.0`. -## Verifying release artifacts Attestations with GitHub CLI +## Verifying with GitHub CLI ### Prerequisites From 3cd061eae96f544ab657c33d16cd1d092c2a9d55 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 16 Jan 2026 20:47:41 +0100 Subject: [PATCH 15/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 0213b963a6..4eecf82ddb 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -40,7 +40,7 @@ gh attestation verify --repo integrations/terraform-provider-github --source-ref "$artifact" ``` -### Verifying all artifacts at once +### Verifying All Artifacts Alternatively, you can verify all downloaded artifacts with a loop that provides individual status reporting: From 3a3fd178731f8f190a8fb80dd0740646919512f2 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 16 Jan 2026 20:47:55 +0100 Subject: [PATCH 16/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 4eecf82ddb..a80952ba97 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -86,7 +86,7 @@ In addition to artifact attestations, you can verify release artifacts using [Co First, install Cosign if you haven't already. See the [installation instructions](https://docs.sigstore.dev/cosign/system_config/installation/) for your platform. -### Verify checksums file +### Verify Checksums File Download the checksums file and its signature bundle: From c2010ac2a93a43f16337e49e11e9b8f6e687a484 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 16 Jan 2026 20:48:04 +0100 Subject: [PATCH 17/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index a80952ba97..0db95077f1 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -135,7 +135,7 @@ In addition to using the GitHub CLI, you can verify SLSA provenance attestations 1. Install `cosign` for verifying attestations. See the [installation instructions](https://docs.sigstore.dev/cosign/system_config/installation/). 2. Install `gh` (GitHub CLI) if you haven't already. See the [installation instructions](https://github.com/cli/cli#installation). -### Download and verify Attestation +### Download and Verify Attestation > [!NOTE] > Make sure to replace x.y.z with the actual release tag you want to verify. From 81847308984fc5a8a5bd23fa998887c623e59fa2 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 16 Jan 2026 20:48:14 +0100 Subject: [PATCH 18/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 0db95077f1..e493d11e95 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -180,7 +180,7 @@ cosign verify-blob-attestation \ A successful verification will output `Verified OK`, confirming that the artifact was built by the trusted GitHub Actions workflow and its provenance is securely recorded. -### Verifying all release artifacts +### Verifying All Release Artifacts To verify all release artifacts for a specific version: From 188c5673b36fcdf9c8e36d6678a53b04688e7094 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 16 Jan 2026 20:48:23 +0100 Subject: [PATCH 19/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index e493d11e95..0b17312a93 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -53,7 +53,7 @@ for artifact in terraform-provider-github_${version}_*.zip; do done ``` -### Using optional flags +### Using Optional Flags The `gh attestation verify` command supports additional flags for more specific verification: From 9fb52989a3aef54d85713061a4ebb177c9310fbf Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 16 Jan 2026 20:48:32 +0100 Subject: [PATCH 20/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 0b17312a93..f124fc924a 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -106,7 +106,7 @@ cosign verify-blob \ "terraform-provider-github_${version}_SHA256SUMS" ``` -### Verify artifact checksums +### Verify Artifact Checksums After verifying the checksums file, verify your downloaded artifacts match the checksums: From 329ea4136885ec42f1d057a46d60a3a237296d55 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 16 Jan 2026 20:48:47 +0100 Subject: [PATCH 21/21] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index f124fc924a..e9b18f0453 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -73,7 +73,7 @@ gh attestation verify --owner integrations --signer-workflow \ "$artifact" ``` -## Verifying checksums file signature with Cosign and checking artifact integrity +## Verifying with Cosign > [!NOTE] > Not all artifacts may have attestations generated for them. Please check the [repository attestations](https://github.com/integrations/terraform-provider-github/attestations) to see which artifacts have attestations available.