Skip to content

Commit 3502a95

Browse files
author
Thomas Neidhart
committed
chore: improve release download script, update README to 1.3.0 release
1 parent 316d334 commit 3502a95

File tree

2 files changed

+36
-15
lines changed

2 files changed

+36
-15
lines changed

README.md

+9-10
Original file line numberDiff line numberDiff line change
@@ -34,23 +34,22 @@ To download a release and perform verification whether the downloaded artifact h
3434
you should use the `download-github-release.sh` script (supported since `v1.2.0`):
3535

3636
```bash
37-
$ ./download-github-release.sh -v 1.2.0
37+
$ ./download-github-release.sh -v 1.3.0
3838
```
3939

40-
This will download the `1.2.0` release together with the provenance and perform verification (requires that the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) tool is installe):
40+
This will download the `1.3.0` release together with the provenance and perform verification (requires that the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) tool is installe):
4141

4242
```bash
43-
$ ./download-github-release.sh -v 1.2.0
43+
$ ./download-github-release.sh -v 1.3.0
4444
REPO = eclipse-cbi/macos-notarization-service
45-
VERSION = 1.2.0
45+
VERSION = 1.3.0
4646
ARTIFACT = macos-notarization-service
47-
Downloaded artifact 'macos-notarization-service-1.2.0.zip'
48-
Downloaded provenance 'macos-notarization-service-1.2.0.zip.intoto.jsonl'
49-
Verifying artifact 'macos-notarization-service-1.2.0.zip' using provenance 'macos-notarization-service-1.2.0.zip.intoto.jsonl':
47+
Downloaded artifact 'macos-notarization-service-1.3.0.zip'
48+
Downloaded provenance 'macos-notarization-service-1.3.0-attestation.intoto.build.slsa'
49+
Verifying artifact 'macos-notarization-service-1.3.0.zip' using provenance 'macos-notarization-service-1.3.0-attestation.intoto.build.slsa':
5050

51-
Verified signature against tlog entry index 38470756 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77afd34aec2bf00e490c71f748ac30e5ea98054baf21276e5dc43bbd1653789b273
52-
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.9.0" at commit 5ad9cfe7d0a03ad3d7f58c1561b42f175b1d6850
53-
Verifying artifact macos-notarization-service-1.2.0.zip: PASSED
51+
Verified build using builder "https://github.com/jreleaser/release-action/.github/workflows/builder_slsa3.yml@refs/tags/v1.1.0-java" at commit 5325c11c611568f5e043d934185183783f228c0a
52+
Verifying artifact macos-notarization-service-1.3.0.zip: PASSED
5453

5554
PASSED: Verified SLSA provenance
5655
```

download-github-release.sh

+27-5
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,15 @@ download-provenance() {
3535
verify() {
3636
echo "Verifying artifact '${ARTIFACT_FILENAME}' using provenance '${PROVENANCE_FILENAME}':"
3737
echo ""
38-
slsa-verifier verify-artifact --provenance-path ${PROVENANCE_FILENAME} ${ARTIFACT_FILENAME} --source-uri "github.com/${REPO}" --source-tag "v${VERSION}"
38+
39+
# disable --source-tag for now as jreleaser uses the main branch as sourceURI for now:
40+
# --source-tag "v${VERSION}"
41+
42+
slsa-verifier verify-artifact \
43+
--provenance-path ${PROVENANCE_FILENAME} \
44+
--source-uri "github.com/${REPO}" \
45+
--builder-id "https://github.com/jreleaser/release-action/.github/workflows/builder_slsa3.yml" \
46+
${ARTIFACT_FILENAME}
3947
}
4048

4149
usage() {
@@ -49,7 +57,8 @@ Options:
4957
-a ARTIFACT the artifact to download, e.g. macos-notarization-service
5058
-e EXTENSION the extension to use, default: .zip
5159
-r REPO the GitHub repo to use for download, format: owner/repo-name, e.g. eclipse-cbi/macos-notarization-service
52-
-v VERSION the release version to download, e.g. 1.2.0
60+
-v VERSION the release version to download, e.g. 1.3.0
61+
-f force downloading artifact and provenance
5362
-h show this help
5463
5564
"
@@ -64,12 +73,12 @@ then
6473
exit 1
6574
fi
6675

67-
6876
ARTIFACT="macos-notarization-service"
6977
EXTENSION=".zip"
7078
REPO="eclipse-cbi/macos-notarization-service"
79+
FORCE=false
7180

72-
while getopts ":a:e:r:v:" o; do
81+
while getopts ":a:e:r:v:f" o; do
7382
case "${o}" in
7483
a)
7584
ARTIFACT=${OPTARG}
@@ -83,6 +92,9 @@ while getopts ":a:e:r:v:" o; do
8392
v)
8493
VERSION=${OPTARG}
8594
;;
95+
f)
96+
FORCE=true
97+
;;
8698
*)
8799
usage
88100
;;
@@ -102,7 +114,11 @@ echo "ARTIFACT = ${ARTIFACT}"
102114
ARTIFACT_FILENAME="${ARTIFACT}-${VERSION}${EXTENSION}"
103115
ARTIFACT_URL="https://github.com/${REPO}/releases/download/v${VERSION}/${ARTIFACT_FILENAME}"
104116

105-
download-artifact
117+
if [ -f "$ARTIFACT_FILENAME" ] && [ "$FORCE" == false ]; then
118+
echo "Using local artifact '${ARTIFACT_FILENAME}'"
119+
else
120+
download-artifact
121+
fi
106122

107123
FOUND=false
108124
# the attestation filename has changed after using jreleaser
@@ -112,6 +128,12 @@ do
112128
PROVENANCE_FILENAME="${ARTIFACT}-${VERSION}${SUFFIX}"
113129
PROVENANCE_URL="https://github.com/${REPO}/releases/download/v${VERSION}/${PROVENANCE_FILENAME}"
114130

131+
if [ -f "${PROVENANCE_FILENAME}" ] && [ "$FORCE" == false ]; then
132+
echo "Using local provenance '${PROVENANCE_FILENAME}'"
133+
FOUND=true
134+
break
135+
fi
136+
115137
if download-provenance; then
116138
echo "Downloaded provenance '${PROVENANCE_FILENAME}'"
117139
FOUND=true

0 commit comments

Comments
 (0)