diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 36e1653c3c25..ad08b34b333d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,6 +23,8 @@ env: jobs: build: + outputs: + hashes: ${{ steps.hash.outputs.hashes }} runs-on: ubuntu-latest steps: - @@ -100,6 +102,28 @@ jobs: draft: true files: ${{ env.RELEASE_OUT }}/* + - + name: Generate provenance subject + id: hash + run: | + set -euo pipefail + + cd ${{ env.RELEASE_OUT }} + sha256sum * > checksums + + echo "::set-output name=hashes::$(cat checksums | base64 -w0)" + + provenance: + needs: [build] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 + with: + base64-subjects: "${{ needs.build.outputs.hashes }}" + upload-assets: true # Upload the generated provenance to release assets for tags. + buildkit-edge: runs-on: ubuntu-latest continue-on-error: true diff --git a/README.md b/README.md index 319c7689cdb3..8388947fda52 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ [![Build Status](https://img.shields.io/github/workflow/status/docker/buildx/build?label=build&logo=github&style=flat-square)](https://github.com/docker/buildx/actions?query=workflow%3Abuild) [![Go Report Card](https://goreportcard.com/badge/github.com/docker/buildx?style=flat-square)](https://goreportcard.com/report/github.com/docker/buildx) [![codecov](https://img.shields.io/codecov/c/github/docker/buildx?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/buildx) +[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/images/gh-badge-level3.svg) `buildx` is a Docker CLI plugin for extended build capabilities with [BuildKit](https://github.com/moby/buildkit). @@ -90,6 +91,13 @@ Docker Linux packages also include Docker Buildx when installed using the > instead. For Linux, we recommend that you follow the [instructions specific for your distribution](#linux-packages). You can also download the latest binary from the [GitHub releases page](https://github.com/docker/buildx/releases/latest). +We generate [SLSA3 provenance](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a release binary: +1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation). +2. Download the provenance file `attestation.intoto.jsonl` from the [GitHub releases page](https://github.com/docker/buildx/releases/latest). +3. Run the verifier: +```shell +slsa-verifier -artifact-path -provenance attestation.intoto.jsonl -source github.com/docker/buildx -branch master +``` Rename the relevant binary and copy it to the destination matching your OS: