mirror of
https://git.quad4.io/RNS-Things/MeshChatX.git
synced 2026-04-23 08:45:43 +00:00
chore(ci): remove verify-release-attestation.sh script and update attest-release-assets.sh to exclude .cosign.bundle files
This commit is contained in:
@@ -19,7 +19,7 @@ trap 'rm -f "$PRED"' EXIT INT
|
||||
|
||||
python3 scripts/ci/slsa-predicate.py > "$PRED"
|
||||
|
||||
find "$DIR" -type f ! -name '*.sha256' ! -name '*.cosign.bundle' | while IFS= read -r f; do
|
||||
find "$DIR" -type f ! -name '*.cosign.bundle' | while IFS= read -r f; do
|
||||
case "$f" in
|
||||
*/.git/*) continue ;;
|
||||
esac
|
||||
|
||||
@@ -1,21 +0,0 @@
|
||||
#!/bin/sh
|
||||
# Verify a cosign SLSA bundle for a release binary using the repository public key.
|
||||
# Checks Sigstore Rekor (public log) unless COSIGN_REKOR_URL points elsewhere.
|
||||
# Usage: verify-release-attestation.sh <blob-file> <bundle-file>
|
||||
# Env: COSIGN_PUBLIC_KEY (default cosign.pub)
|
||||
set -eu
|
||||
|
||||
BLOB="${1:?blob path}"
|
||||
BUNDLE="${2:?bundle path}"
|
||||
PUB="${COSIGN_PUBLIC_KEY:-cosign.pub}"
|
||||
|
||||
if [ ! -f "$PUB" ]; then
|
||||
echo "Missing $PUB (generate a key pair with cosign and commit the .pub file)" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
exec cosign verify-blob-attestation \
|
||||
--key "$PUB" \
|
||||
--bundle "$BUNDLE" \
|
||||
--type slsaprovenance1 \
|
||||
"$BLOB"
|
||||
Reference in New Issue
Block a user