Mirrors/restic
1
0
Fork 0
mirror of https://github.com/restic/restic.git synced 2025-03-09 00:00:02 +01:00
Code Issues Releases Wiki Activity

docs: add instructions for verifying SLSA provenance of Docker images

Browse source 
docs: update the documentation
This commit is contained in:
Srigovind Nayak 2024-09-29 15:56:17 +05:30 committed by Srigovind Nayak
parent 144221b430
commit d422e75e08
No known key found for this signature in database
GPG key ID: 09006810B7263D69
1 changed files with 28 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
doc/developer_information.rst
View file

@ -113,6 +113,34 @@ The following steps are necessary to build the binaries:
restic/builder \
go run helpers/build-release-binaries/main.go --version 0.14.0 --verbose
Verifying SLSA Provenance for Docker Images
*******************************************
Our Docker images are built with SLSA (Supply-chain Levels for Software Artifacts)
provenance.
To verify this provenance:
1. Install the `slsa-verifier` tool from https://github.com/slsa-framework/slsa-verifier
2. Run the following command:
.. code-block:: console
$ slsa-verifier verify-image \
--source-uri github.com/restic/restic \
<image-name>@<digest>
Replace `<tag>` with the Git tag of the release you're verifying, `<image-name>`
with the full name of the Docker image (including the registry), and `<digest>`
with the SHA256 digest of the image.
3. If the verification is successful, you'll see output indicating that the provenance
is valid.
This verification ensures that the Docker image was built by our official GitHub
Actions workflow and has not been tampered with since its creation.
Verifying the Official Binaries
*******************************