How do we verify release assets with provenance? #4821
Unanswered
suzuki-shunsuke
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Thank you for your great project.
This project releases pre-built binaries and provenance.
https://github.com/moby/buildkit/releases/tag/v0.13.1
So I tried to verify them with slsa-verifier, but it didn't work well.
I'm using slsa-verifier v2.5.1.
I tried to verify buildkit-v0.13.1.darwin-arm64.tar.gz with buildkit-v0.13.1.darwin-arm64.provenance.json, but slsa-verifier failed.
Beta Was this translation helpful? Give feedback.
All reactions