Example of a Go project following SIG Security's recommendations
APACHE-2.0 License
Example of a Go project following SIG Security's recommendations
Optionally, we have examples of the following, which are NOT official recommendations at this point:
Attestations are created as part of the release and send metadata about the build (provenance) that was used to generate that artifact. An SHA-256 checksum is used as the key for that, so that users can use a checksum of a local artifact to obtain information about the origins of that artifact.
We list here two possible ways to verify the provenance of our deliverables: a binary, and a container image.
Verifying the binary using GitHub CLI tool (gh
):
gh attestation verify otel-sig-security-example-go_0.0.3_linux_amd64.tar.gz --owner jpkrohling
Verifying the container image using gh
:
gh attestation verify oci://ghcr.io/jpkrohling/otel-sig-security-example-go:0.0.3 --owner jpkrohling
Note: jpkrohling
refers to the organization, and would be open-telemetry
on our actual repositories.
The transparency logs can be queried here: Sigstore's Transparency Logs
Verifying the binary:
sha256sum
for the file: sha256sum otel-sig-security-example-go_0.0.3_linux_amd64.tar.gz
sha256:0d1d5c2255d7420e2561543cf74acdd98e6800f034a64bd771f6f83d2588ca26
Verifying the container image:
docker pull ghcr.io/jpkrohling/otel-sig-security-example-go:0.0.3
docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/jpkrohling/otel-sig-security-example-go:0.0.3