From 9aae8edff0369913590aecfb654e256d923077d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20REY?= Date: Fri, 24 May 2024 11:40:23 +0200 Subject: [PATCH 1/5] docs(getting-started): fix missing dot in file name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rémi REY --- docs/tutorials/getting-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorials/getting-started.md b/docs/tutorials/getting-started.md index f858f214..5537f8fc 100644 --- a/docs/tutorials/getting-started.md +++ b/docs/tutorials/getting-started.md @@ -26,7 +26,7 @@ openssl pkey -in testkey.pem -pubout > testpub.pem > including Github Actions - This file generally resides in your source code repository along with the public keys generated above. -- `.witness yaml` is the default location for the configuration file +- `.witness.yaml` is the default location for the configuration file - `witness help` will show all configuration options - command-line arguments overrides configuration file values. From 027310f1f1dd41c8c035a39b5faf30b8becec5e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20REY?= Date: Fri, 24 May 2024 15:59:39 +0200 Subject: [PATCH 2/5] docs(getting-started): mention the slsa attestor in getting started MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Provenance being the very first requirement from SLSA, it seems quite appropriate to mention how Witness helps achieve this easily. Signed-off-by: Rémi REY --- docs/tutorials/getting-started.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/tutorials/getting-started.md b/docs/tutorials/getting-started.md index 5537f8fc..0d774f7c 100644 --- a/docs/tutorials/getting-started.md +++ b/docs/tutorials/getting-started.md @@ -47,13 +47,16 @@ verify: >💡 Tip: You can upload the recorded attestations to an [Archivista](https://github.com/in-toto/archivista) server by using the `--enable-archivista` flag! - The `-a {attestor}` flag allows you to define which attestors run - ex. `-a maven -a gcp -a gitlab` would be used for a maven build running on a GitLab runner on GCP. +- Witness has a set of attestors that are always run. You can see them in the output of the `witness attestors list` command. - Defining step names is important, these will be used in the policy. - This should happen as a part of a CI step ``` -witness run --step build -o test-att.json -- go build -o=testapp . +witness run --step build -o test-att.json -a slsa -- go build -o=testapp . ``` +>💡 Tip: The `-a slsa` option allows to generate the [SLSA Provenace](https://slsa.dev/spec/v1.0/provenance) predicate in the attestation. This is a mandatory requirement for SLSA 1 + ### 4. View the attestation data in the signed DSSE Envelope - This data can be stored and retrieved from Archivista From a7e1b281910ec95e1dd7e0ea6208c7e1851f551c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20REY?= Date: Fri, 24 May 2024 16:26:41 +0200 Subject: [PATCH 3/5] Update docs/tutorials/getting-started.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Matthias Glastra Signed-off-by: Rémi REY --- docs/tutorials/getting-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorials/getting-started.md b/docs/tutorials/getting-started.md index 0d774f7c..9536fd88 100644 --- a/docs/tutorials/getting-started.md +++ b/docs/tutorials/getting-started.md @@ -55,7 +55,7 @@ verify: witness run --step build -o test-att.json -a slsa -- go build -o=testapp . ``` ->💡 Tip: The `-a slsa` option allows to generate the [SLSA Provenace](https://slsa.dev/spec/v1.0/provenance) predicate in the attestation. This is a mandatory requirement for SLSA 1 +>💡 Tip: The `-a slsa` option allows to generate the [SLSA Provenace](https://slsa.dev/spec/v1.0/provenance) predicate in the attestation. This is a mandatory requirement for SLSA Level 1 ### 4. View the attestation data in the signed DSSE Envelope From fe846d62eff4747dde69d35532801d2a4c357a82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20REY?= Date: Thu, 30 May 2024 11:24:08 +0200 Subject: [PATCH 4/5] Update docs/tutorials/getting-started.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rémi REY --- docs/tutorials/getting-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorials/getting-started.md b/docs/tutorials/getting-started.md index 9536fd88..efd022c3 100644 --- a/docs/tutorials/getting-started.md +++ b/docs/tutorials/getting-started.md @@ -55,7 +55,7 @@ verify: witness run --step build -o test-att.json -a slsa -- go build -o=testapp . ``` ->💡 Tip: The `-a slsa` option allows to generate the [SLSA Provenace](https://slsa.dev/spec/v1.0/provenance) predicate in the attestation. This is a mandatory requirement for SLSA Level 1 +>💡 Tip: The `-a slsa` option allows to generate the [SLSA Provenace](https://slsa.dev/spec/v1.0/provenance) predicate in the attestation. The `--attestor-slsa-export` option allows to write the Provenance in a dedicated file. This is a mandatory requirement for SLSA Level 1 ### 4. View the attestation data in the signed DSSE Envelope From 5c1c1f10c89d516e3ebf03655bfe6b75593ab3a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20REY?= Date: Thu, 30 May 2024 11:24:15 +0200 Subject: [PATCH 5/5] Update docs/tutorials/getting-started.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rémi REY --- docs/tutorials/getting-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tutorials/getting-started.md b/docs/tutorials/getting-started.md index efd022c3..8bc111a8 100644 --- a/docs/tutorials/getting-started.md +++ b/docs/tutorials/getting-started.md @@ -52,7 +52,7 @@ verify: - This should happen as a part of a CI step ``` -witness run --step build -o test-att.json -a slsa -- go build -o=testapp . +witness run --step build -o test-att.json -a slsa --attestor-slsa-export -- go build -o=testapp . ``` >💡 Tip: The `-a slsa` option allows to generate the [SLSA Provenace](https://slsa.dev/spec/v1.0/provenance) predicate in the attestation. The `--attestor-slsa-export` option allows to write the Provenance in a dedicated file. This is a mandatory requirement for SLSA Level 1