From 4d2ad530e7bf8ebdb232be1ec0cba638771b3b4a Mon Sep 17 00:00:00 2001 From: Viacheslav Kudinov Date: Thu, 30 Oct 2025 00:13:52 +0100 Subject: [PATCH 1/9] Add GH attestation on release Signed-off-by: Viacheslav Kudinov --- .github/workflows/release.yml | 5 ++++ VERIFY_ATTESTATIONS.md | 45 +++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 VERIFY_ATTESTATIONS.md diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ed7fd14b51..2d2730c446 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,3 +43,8 @@ jobs: # GitHub sets the GITHUB_TOKEN secret automatically. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + + - name: Generate artifact attestations + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + with: + subject-path: 'dist/terraform-provider-github_*.zip' \ No newline at end of file diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md new file mode 100644 index 0000000000..edfce3c0cc --- /dev/null +++ b/VERIFY_ATTESTATIONS.md @@ -0,0 +1,45 @@ +## Using artifact attestations to achieve SLSA v1 Build Level 3 + +This project started to use GitHub Action to create attestations for the release artifacts. Building software with artifact attestation streamlines supply chain security and helps us achieve [SLSA](https://slsa.dev/) v1.0 Build Level 3 for this project. + +### Verifying artifact attestations built with a reusable workflow + +To verify artifact attestations generated during the build process, use the `gh attestation verify` command from the GitHub CLI. + +The `gh attestation verify` command requires either `--owner` or `--repo` flags to be used with it. + +> [!NOTE] +> Make sure to replace X.Y.Z with the actual release tag you want to verify. + +> [!WARNING] +> Not all artifacts may have attestations generated for them. Please check the [attestations](https://github.com/integrations/terraform-provider-github/attestations) page for this repository to see which artifacts have attestations available. + +Download the release artifacts first: + +```bash +gh release download vX.Y.Z -R integrations/terraform-provider-github -p "*.zip" +``` + +To verify the artifact attestations for this project, you can run the following command: + +```bash +gh attestation verify --repo integrations/terraform-provider-github terraform-provider-github_X.Y.Z_darwin_amd64.zip +``` + +### Using optional flags + +The `gh attestation verify` command supports additional flags for more specific verification: + +Use the `--signer-repo` flag to specify the repository: + +```bash +gh attestation verify --owner integrations --signer-repo integrations/terraform-provider-github \ +terraform-provider-github_X.Y.Z_darwin_amd64.zip +``` + +If you would like to require an artifact attestation to be signed with a specific workflow, use the `--signer-workflow` flag to indicate the workflow file that should be used. + +```bash +gh attestation verify --owner integrations --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yml \ +terraform-provider-github_X.Y.Z_darwin_amd64.zip +``` From 8ce65809c7ada5c2bc2a93b07169b6b411f6148d Mon Sep 17 00:00:00 2001 From: Viacheslav Kudinov Date: Mon, 8 Dec 2025 14:53:48 +0100 Subject: [PATCH 2/9] Add information that attestations are available sine v6.9.0 Signed-off-by: Viacheslav Kudinov --- VERIFY_ATTESTATIONS.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index edfce3c0cc..f1d8372497 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -14,10 +14,13 @@ The `gh attestation verify` command requires either `--owner` or `--repo` flags > [!WARNING] > Not all artifacts may have attestations generated for them. Please check the [attestations](https://github.com/integrations/terraform-provider-github/attestations) page for this repository to see which artifacts have attestations available. +> [!CAUTION] +> The attestations are available only for releases created since the version `v6.9.0` of this project. + Download the release artifacts first: ```bash -gh release download vX.Y.Z -R integrations/terraform-provider-github -p "*.zip" +gh release download vX.Y.Z --repo integrations/terraform-provider-github -p "*.zip" ``` To verify the artifact attestations for this project, you can run the following command: From a3b39ede0d4a813b81ed93413c07d8ac58343743 Mon Sep 17 00:00:00 2001 From: Timo Sand Date: Mon, 8 Dec 2025 20:57:05 +0200 Subject: [PATCH 3/9] Ensure that boolean conversions cause panics (#2977) Signed-off-by: Timo Sand --- github/respository_rules_utils.go | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/github/respository_rules_utils.go b/github/respository_rules_utils.go index 0420d525de..681f2636b5 100644 --- a/github/respository_rules_utils.go +++ b/github/respository_rules_utils.go @@ -144,7 +144,10 @@ func expandConditions(input []any, org bool) *github.RulesetConditions { } } - protected := inputRepositoryName["protected"].(bool) + protected, ok := inputRepositoryName["protected"].(bool) + if !ok { + protected = false + } rulesetConditions.RepositoryName = &github.RulesetRepositoryNamesConditionParameters{ Include: include, @@ -277,7 +280,10 @@ func expandRules(input []any, org bool) []*github.RepositoryRule { patternParametersMap := v[0].(map[string]any) name := patternParametersMap["name"].(string) - negate := patternParametersMap["negate"].(bool) + negate, ok := patternParametersMap["negate"].(bool) + if !ok { + negate = false + } params := &github.RulePatternParameters{ Name: &name, @@ -355,10 +361,17 @@ func expandRules(input []any, org bool) []*github.RepositoryRule { } } - doNotEnforceOnCreate := requiredStatusMap["do_not_enforce_on_create"].(bool) + doNotEnforceOnCreate, ok := requiredStatusMap["do_not_enforce_on_create"].(bool) + if !ok { + doNotEnforceOnCreate = false + } + strictRequiredStatusChecksPolicy, ok := requiredStatusMap["strict_required_status_checks_policy"].(bool) + if !ok { + strictRequiredStatusChecksPolicy = false + } params := &github.RequiredStatusChecksRuleParameters{ RequiredStatusChecks: requiredStatusChecks, - StrictRequiredStatusChecksPolicy: requiredStatusMap["strict_required_status_checks_policy"].(bool), + StrictRequiredStatusChecksPolicy: strictRequiredStatusChecksPolicy, DoNotEnforceOnCreate: &doNotEnforceOnCreate, } rulesSlice = append(rulesSlice, github.NewRequiredStatusChecksRule(params)) @@ -389,8 +402,13 @@ func expandRules(input []any, org bool) []*github.RepositoryRule { } } + doNotEnforceOnCreate, ok := requiredWorkflowsMap["do_not_enforce_on_create"].(bool) + if !ok { + doNotEnforceOnCreate = false + } + params := &github.RequiredWorkflowsRuleParameters{ - DoNotEnforceOnCreate: requiredWorkflowsMap["do_not_enforce_on_create"].(bool), + DoNotEnforceOnCreate: doNotEnforceOnCreate, RequiredWorkflows: requiredWorkflows, } rulesSlice = append(rulesSlice, github.NewRequiredWorkflowsRule(params)) From 00de37c3cea2f5d34c3c71c207a68405b55fe8fa Mon Sep 17 00:00:00 2001 From: Viacheslav Kudinov Date: Wed, 10 Dec 2025 22:43:40 +0100 Subject: [PATCH 4/9] Add Cosign verification --- VERIFY_ATTESTATIONS.md | 91 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 78 insertions(+), 13 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index f1d8372497..2e6716d103 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -1,8 +1,20 @@ -## Using artifact attestations to achieve SLSA v1 Build Level 3 +# Using artifact attestations to achieve SLSA v1 Build Level 3 This project started to use GitHub Action to create attestations for the release artifacts. Building software with artifact attestation streamlines supply chain security and helps us achieve [SLSA](https://slsa.dev/) v1.0 Build Level 3 for this project. -### Verifying artifact attestations built with a reusable workflow +## Verifying release artifacts attestations with GitHub CLI + +> [!WARNING] +> Not all artifacts may have attestations generated for them. Please check the [attestations](https://github.com/integrations/terraform-provider-github/attestations) page for this repository to see which artifacts have attestations available. + +> [!CAUTION] +> The attestations are available only for the releases created since the version `v6.9.0` of this project. + +### Prerequisites + +First, install GitHub CLI if you haven't already. See the [installation instructions](https://github.com/cli/cli#installation) for your platform. + +### Verifying attestations To verify artifact attestations generated during the build process, use the `gh attestation verify` command from the GitHub CLI. @@ -11,12 +23,6 @@ The `gh attestation verify` command requires either `--owner` or `--repo` flags > [!NOTE] > Make sure to replace X.Y.Z with the actual release tag you want to verify. -> [!WARNING] -> Not all artifacts may have attestations generated for them. Please check the [attestations](https://github.com/integrations/terraform-provider-github/attestations) page for this repository to see which artifacts have attestations available. - -> [!CAUTION] -> The attestations are available only for releases created since the version `v6.9.0` of this project. - Download the release artifacts first: ```bash @@ -26,7 +32,8 @@ gh release download vX.Y.Z --repo integrations/terraform-provider-github -p "*.z To verify the artifact attestations for this project, you can run the following command: ```bash -gh attestation verify --repo integrations/terraform-provider-github terraform-provider-github_X.Y.Z_darwin_amd64.zip +gh attestation verify --repo integrations/terraform-provider-github \ + terraform-provider-github_X.Y.Z_darwin_amd64.zip ``` ### Using optional flags @@ -36,13 +43,71 @@ The `gh attestation verify` command supports additional flags for more specific Use the `--signer-repo` flag to specify the repository: ```bash -gh attestation verify --owner integrations --signer-repo integrations/terraform-provider-github \ -terraform-provider-github_X.Y.Z_darwin_amd64.zip +gh attestation verify --owner integrations --signer-repo \ + integrations/terraform-provider-github \ + terraform-provider-github_X.Y.Z_darwin_amd64.zip ``` If you would like to require an artifact attestation to be signed with a specific workflow, use the `--signer-workflow` flag to indicate the workflow file that should be used. ```bash -gh attestation verify --owner integrations --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yml \ -terraform-provider-github_X.Y.Z_darwin_amd64.zip +gh attestation verify --owner integrations --signer-workflow \ + integrations/terraform-provider-github/.github/workflows/release.yaml \ + terraform-provider-github_X.Y.Z_darwin_amd64.zip +``` + +## Verifying release artifacts with Cosign + +> [!WARNING] +> Not all the releases may have Cosign signature for the checksum files. + +> [!CAUTION] +> The Cosign signatures are available only for the releases created since the version `v6.9.0` of this project. + +In addition to artifact attestations, you can verify release artifacts using [Cosign](https://docs.sigstore.dev/cosign/overview/). Cosign is a tool for signing and verifying software artifacts and container images. + +### Prerequisites + +First, install Cosign if you haven't already. See the [installation instructions](https://docs.sigstore.dev/cosign/system_config/installation/) for your platform. + +### Verify checksums file + +> [!NOTE] +> Make sure to replace X.Y.Z with the actual release tag you want to verify. + +Download the checksums file and its signature bundle: + +```bash +gh release download vX.Y.Z --repo integrations/terraform-provider-github \ + -p "terraform-provider-github_X.Y.Z_SHA256SUMS" \ + -p "terraform-provider-github_X.Y.Z_SHA256SUMS.sbom.json.bundle" +``` + +Verify the checksums file signature: + +```bash +cosign verify-blob \ + --bundle terraform-provider-github_X.Y.Z_SHA256SUMS.sbom.json.bundle \ + --certificate-identity-regexp "^https://github.com/integrations/terraform-provider-github" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + terraform-provider-github_X.Y.Z_SHA256SUMS ``` + +### Verify artifact checksums + +After verifying the checksums file, verify your downloaded artifacts match the checksums: + +Download the artifact you want to verify: + +```bash +gh release download vX.Y.Z --repo integrations/terraform-provider-github \ + -p "terraform-provider-github_X.Y.Z_darwin_amd64.zip" +``` + +Verify the checksum: + +```bash +shasum -a 256 -c terraform-provider-github_X.Y.Z_SHA256SUMS --ignore-missing +``` + +This will verify that your downloaded artifact matches the signed checksum, confirming its integrity and authenticity. From d032e0a085219035d2be2aa8dc3a8df9c1506824 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 12 Dec 2025 17:11:08 +0100 Subject: [PATCH 5/9] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 2e6716d103..a2f0642bc1 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -26,7 +26,8 @@ The `gh attestation verify` command requires either `--owner` or `--repo` flags Download the release artifacts first: ```bash -gh release download vX.Y.Z --repo integrations/terraform-provider-github -p "*.zip" +version="x.y.z" +gh release download "v${version}" --repo integrations/terraform-provider-github -p "*.zip" ``` To verify the artifact attestations for this project, you can run the following command: From 199e2e67c51d654a513991dcdb98e736373952f9 Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 12 Dec 2025 17:12:15 +0100 Subject: [PATCH 6/9] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index a2f0642bc1..cf1a4a2f50 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -33,8 +33,9 @@ gh release download "v${version}" --repo integrations/terraform-provider-github To verify the artifact attestations for this project, you can run the following command: ```bash -gh attestation verify --repo integrations/terraform-provider-github \ - terraform-provider-github_X.Y.Z_darwin_amd64.zip +gh attestation verify --repo integrations/terraform-provider-github --source-ref "v${version}"\ + --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml \ + "terraform-provider-github_X.Y.Z_darwin_amd64.zip" ``` ### Using optional flags From 3e4e256b09cbb405b1e3af355033882d9176e29b Mon Sep 17 00:00:00 2001 From: Viacheslav Date: Fri, 12 Dec 2025 17:13:31 +0100 Subject: [PATCH 7/9] Update VERIFY_ATTESTATIONS.md Co-authored-by: Steve Hipwell --- VERIFY_ATTESTATIONS.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index cf1a4a2f50..03a0c7ca10 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -89,10 +89,10 @@ Verify the checksums file signature: ```bash cosign verify-blob \ - --bundle terraform-provider-github_X.Y.Z_SHA256SUMS.sbom.json.bundle \ - --certificate-identity-regexp "^https://github.com/integrations/terraform-provider-github" \ + --bundle "terraform-provider-github_${version}_SHA256SUMS.sbom.json.bundle" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - terraform-provider-github_X.Y.Z_SHA256SUMS + --certificate-identity "https://github.com/integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version}" \ + "terraform-provider-github_${version}_SHA256SUMS" ``` ### Verify artifact checksums From a03b298f0b9ab2d227fbf815b70e26214b833014 Mon Sep 17 00:00:00 2001 From: Viacheslav Kudinov Date: Fri, 12 Dec 2025 17:17:37 +0100 Subject: [PATCH 8/9] Use ${version} in all the commands Signed-off-by: Viacheslav Kudinov --- VERIFY_ATTESTATIONS.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 03a0c7ca10..9801559c1a 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -21,7 +21,7 @@ To verify artifact attestations generated during the build process, use the `gh The `gh attestation verify` command requires either `--owner` or `--repo` flags to be used with it. > [!NOTE] -> Make sure to replace X.Y.Z with the actual release tag you want to verify. +> Make sure to replace x.y.z with the actual release tag you want to verify. Download the release artifacts first: @@ -35,7 +35,7 @@ To verify the artifact attestations for this project, you can run the following ```bash gh attestation verify --repo integrations/terraform-provider-github --source-ref "v${version}"\ --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml \ - "terraform-provider-github_X.Y.Z_darwin_amd64.zip" + "terraform-provider-github_${version}_darwin_amd64.zip" ``` ### Using optional flags @@ -47,7 +47,7 @@ Use the `--signer-repo` flag to specify the repository: ```bash gh attestation verify --owner integrations --signer-repo \ integrations/terraform-provider-github \ - terraform-provider-github_X.Y.Z_darwin_amd64.zip + terraform-provider-github_${version}_darwin_amd64.zip ``` If you would like to require an artifact attestation to be signed with a specific workflow, use the `--signer-workflow` flag to indicate the workflow file that should be used. @@ -55,7 +55,7 @@ If you would like to require an artifact attestation to be signed with a specifi ```bash gh attestation verify --owner integrations --signer-workflow \ integrations/terraform-provider-github/.github/workflows/release.yaml \ - terraform-provider-github_X.Y.Z_darwin_amd64.zip + terraform-provider-github_${version}_darwin_amd64.zip ``` ## Verifying release artifacts with Cosign @@ -80,9 +80,9 @@ First, install Cosign if you haven't already. See the [installation instructions Download the checksums file and its signature bundle: ```bash -gh release download vX.Y.Z --repo integrations/terraform-provider-github \ - -p "terraform-provider-github_X.Y.Z_SHA256SUMS" \ - -p "terraform-provider-github_X.Y.Z_SHA256SUMS.sbom.json.bundle" +gh release download v${version} --repo integrations/terraform-provider-github \ + -p "terraform-provider-github_${version}_SHA256SUMS" \ + -p "terraform-provider-github_${version}_SHA256SUMS.sbom.json.bundle" ``` Verify the checksums file signature: @@ -102,14 +102,14 @@ After verifying the checksums file, verify your downloaded artifacts match the c Download the artifact you want to verify: ```bash -gh release download vX.Y.Z --repo integrations/terraform-provider-github \ - -p "terraform-provider-github_X.Y.Z_darwin_amd64.zip" +gh release download v${version} --repo integrations/terraform-provider-github \ + -p "terraform-provider-github_${version}_darwin_amd64.zip" ``` Verify the checksum: ```bash -shasum -a 256 -c terraform-provider-github_X.Y.Z_SHA256SUMS --ignore-missing +shasum -a 256 -c terraform-provider-github_${version}_SHA256SUMS --ignore-missing ``` This will verify that your downloaded artifact matches the signed checksum, confirming its integrity and authenticity. From c9bb5b6f1a6b912795e0d415a8f6aae5a545fd60 Mon Sep 17 00:00:00 2001 From: Viacheslav Kudinov Date: Fri, 12 Dec 2025 19:27:51 +0100 Subject: [PATCH 9/9] Add Cosign attestation verification --- VERIFY_ATTESTATIONS.md | 109 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 99 insertions(+), 10 deletions(-) diff --git a/VERIFY_ATTESTATIONS.md b/VERIFY_ATTESTATIONS.md index 9801559c1a..a92e42cf92 100644 --- a/VERIFY_ATTESTATIONS.md +++ b/VERIFY_ATTESTATIONS.md @@ -27,17 +27,30 @@ Download the release artifacts first: ```bash version="x.y.z" -gh release download "v${version}" --repo integrations/terraform-provider-github -p "*.zip" +gh release download "v${version}" --repo integrations/terraform-provider-github -p "*.zip" --clobber ``` To verify the artifact attestations for this project, you can run the following command: ```bash -gh attestation verify --repo integrations/terraform-provider-github --source-ref "v${version}"\ - --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml \ +gh attestation verify --repo integrations/terraform-provider-github --source-ref "refs/tags/v${version}"\ + --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version} \ "terraform-provider-github_${version}_darwin_amd64.zip" ``` +### Verifying all artifacts at once + +Alternatively, you can verify all downloaded artifacts with a loop that provides individual status reporting: + +```bash +for artifact in terraform-provider-github_${version}_*.zip; do + echo "Verifying: $artifact" + gh attestation verify --repo integrations/terraform-provider-github --source-ref "refs/tags/v${version}" \ + --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version} \ + "$artifact" && echo "✓ Verified" || echo "✗ Failed" +done +``` + ### Using optional flags The `gh attestation verify` command supports additional flags for more specific verification: @@ -54,11 +67,11 @@ If you would like to require an artifact attestation to be signed with a specifi ```bash gh attestation verify --owner integrations --signer-workflow \ - integrations/terraform-provider-github/.github/workflows/release.yaml \ + integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version} \ terraform-provider-github_${version}_darwin_amd64.zip ``` -## Verifying release artifacts with Cosign +## Verifying checksums file signature with Cosign and checking artifact integrity > [!WARNING] > Not all the releases may have Cosign signature for the checksum files. @@ -74,15 +87,12 @@ First, install Cosign if you haven't already. See the [installation instructions ### Verify checksums file -> [!NOTE] -> Make sure to replace X.Y.Z with the actual release tag you want to verify. - Download the checksums file and its signature bundle: ```bash gh release download v${version} --repo integrations/terraform-provider-github \ -p "terraform-provider-github_${version}_SHA256SUMS" \ - -p "terraform-provider-github_${version}_SHA256SUMS.sbom.json.bundle" + -p "terraform-provider-github_${version}_SHA256SUMS.sbom.json.bundle" --clobber ``` Verify the checksums file signature: @@ -103,7 +113,7 @@ Download the artifact you want to verify: ```bash gh release download v${version} --repo integrations/terraform-provider-github \ - -p "terraform-provider-github_${version}_darwin_amd64.zip" + -p "terraform-provider-github_${version}_darwin_amd64.zip" --clobber ``` Verify the checksum: @@ -113,3 +123,82 @@ shasum -a 256 -c terraform-provider-github_${version}_SHA256SUMS --ignore-missin ``` This will verify that your downloaded artifact matches the signed checksum, confirming its integrity and authenticity. + +## Verifying SLSA Provenance Attestations with Cosign + +In addition to using the GitHub CLI, you can verify SLSA provenance attestations using Cosign by downloading the attestation and verifying it against your local artifact. + +### Prerequisites + +1. Install `cosign` for verifying attestations. See the [installation instructions](https://docs.sigstore.dev/cosign/system_config/installation/). +2. Install `gh` (GitHub CLI) if you haven't already. See the [installation instructions](https://github.com/cli/cli#installation). + +### Download and verify attestation + +> [!NOTE] +> Make sure to replace x.y.z with the actual release tag you want to verify. + +> [!CAUTION] +> The attestations are available only for the releases created since the version `v6.9.0` of this project. + +First, download the artifact you want to verify: + +```bash +version="x.y.z" +gh release download "v${version}" --repo integrations/terraform-provider-github \ + -p "terraform-provider-github_${version}_darwin_amd64.zip" --clobber +``` + +Then, download the attestation associated with the artifact: + +```bash +gh attestation download "terraform-provider-github_${version}_darwin_amd64.zip" \ + --repo integrations/terraform-provider-github +``` + +This will create a file named `sha256:[digest].jsonl` in the current directory. + +Verify the attestation using Cosign: + +```bash +# Calculate the digest and verify using the specific bundle file +digest=$(shasum -a 256 "terraform-provider-github_${version}_darwin_amd64.zip" | awk '{ print $1 }') +cosign verify-blob-attestation \ + --bundle "sha256:${digest}.jsonl" \ + --new-bundle-format \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-identity "https://github.com/integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version}" \ + "terraform-provider-github_${version}_darwin_amd64.zip" +``` + +A successful verification will output `Verified OK`, confirming that the artifact was built by the trusted GitHub Actions workflow and its provenance is securely recorded. + +### Verifying all release artifacts + +To verify all release artifacts for a specific version: + +```bash +version="x.y.z" + +# Download all release artifacts +gh release download "v${version}" --repo integrations/terraform-provider-github -p "*.zip" --clobber + +# Download attestations for all artifacts +for artifact in terraform-provider-github_${version}_*.zip; do + gh attestation download "$artifact" --repo integrations/terraform-provider-github +done + +# Verify all artifacts using specific digest-based bundle files +for artifact in terraform-provider-github_${version}_*.zip; do + echo "Verifying: $artifact" + digest=$(shasum -a 256 "$artifact" | awk '{ print $1 }') + cosign verify-blob-attestation \ + --bundle "sha256:${digest}.jsonl" \ + --new-bundle-format \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-identity "https://github.com/integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version}" \ + "$artifact" > /dev/null && echo "✓ Verified" || echo "✗ Failed" +done +``` + +This approach calculates the digest for each artifact and uses the corresponding specific bundle file, ensuring each artifact is verified against its own attestation.