edu icon indicating copy to clipboard operation
edu copied to clipboard
verified publisher icon chainguard-dev

How to Create and Verify a Provenance Document with Github Actions

Open sheesh opened this issue 2 years ago • 1 comments

sheesh avatar Mar 10 '23 23:03 sheesh

Drive-by comment - https://github.com/chainguard-dev/edu/blob/dcb111b5a6897079976550df4d08de627ad41f1d/.github/workflows/build-terminal-image.yaml#L85-L87 shows how to create an attestation for an SPDX JSON file here in the Edu repo.

On the verifying side, the following command verifies the attestation:

cosign verify-attestation <registry_url>/<image> \
  --type "https://spdx.dev/Document" \
  --certificate-identity https://github.com/chainguard-dev/edu/.github/workflows/build-terminal-image.yaml@refs/heads/main \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

jamonation avatar Mar 27 '23 15:03 jamonation