diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 1f4d14325..0abae4ec2 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -107,7 +107,7 @@ jobs: base64-subjects: "${{ needs.release-client.outputs[format('hashes-{0}', matrix.os)] }}" upload-assets: true upload-tag-name: ${{ needs.release-please.outputs.package-client-tag }} - provenance-name: ${{ format('{0}-multiple-provenance.intoto.jsonl', matrix.os) }} + provenance-name: ${{ format('{0}-client-multiple-provenance.intoto.jsonl', matrix.os) }} release-server-provenance: needs: [ 'release-please', 'release-server' ] @@ -124,7 +124,7 @@ jobs: base64-subjects: "${{ needs.release-server.outputs[format('hashes-{0}', matrix.os)] }}" upload-assets: true upload-tag-name: ${{ needs.release-please.outputs.package-server-tag }} - provenance-name: ${{ format('{0}-multiple-provenance.intoto.jsonl', matrix.os) }} + provenance-name: ${{ format('{0}-server-multiple-provenance.intoto.jsonl', matrix.os) }} release-server-redis-provenance: needs: [ 'release-please', 'release-server-redis' ] @@ -141,4 +141,4 @@ jobs: base64-subjects: "${{ needs.release-server-redis.outputs[format('hashes-{0}', matrix.os)] }}" upload-assets: true upload-tag-name: ${{ needs.release-please.outputs.package-server-redis-tag }} - provenance-name: ${{ format('{0}-multiple-provenance.intoto.jsonl', matrix.os) }} + provenance-name: ${{ format('{0}-server-redis-multiple-provenance.intoto.jsonl', matrix.os) }} diff --git a/PROVENANCE.md b/PROVENANCE.md index 6c5d60179..9075f7df5 100644 --- a/PROVENANCE.md +++ b/PROVENANCE.md @@ -2,18 +2,18 @@ LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) (Supply-chain Levels for Software Artifacts) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages. -As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds using [GitHub's generic SLSA3 provenance generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#generation-of-slsa3-provenance-for-arbitrary-projects) for distribution alongside our packages. These attestations are available for download from the GitHub release page for the release version under Assets > `OSNAME-multiple-provenance.intoto.jsonl`. +As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds using [GitHub's generic SLSA3 provenance generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#generation-of-slsa3-provenance-for-arbitrary-projects) for distribution alongside our packages. These attestations are available for download from the GitHub release page for the release version under Assets > `OSNAME-PACKAGE-multiple-provenance.intoto.jsonl`. To verify SLSA provenance attestations, we recommend using [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Example usage for verifying SDK packages for Linux is included below: ``` # Ensure provenance file is downloaded along with packages for your OS $ ls /tmp/launchdarkly-cpp-client-3.4.0 -linux-gcc-x64-dynamic.zip linux-gcc-x64-static.zip linux-multiple-provenance.intoto.jsonl +linux-gcc-x64-dynamic.zip linux-gcc-x64-static.zip linux-client-multiple-provenance.intoto.jsonl # Run slsa-verifier to verify provenance against package artifacts $ slsa-verifier verify-artifact \ ---provenance-path linux-multiple-provenance.intoto.jsonl \ +--provenance-path linux-client-multiple-provenance.intoto.jsonl \ --source-uri github.com/launchdarkly/cpp-sdks \ linux-gcc-x64-static.zip linux-gcc-x64-dynamic.zip Verified signature against tlog entry index 59501683 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77ad75383b2cf5388a2587a27acf06c948205b60999c208ae5fcbe89fae6a6aae70