Skip to content

Add SBOM, Cosign signature, and SLSA provenance to releases#327

Merged
AndreyVMarkelov merged 1 commit into
dropbox:masterfrom
AndreyVMarkelov:feat/release-supply-chain-security
Jul 4, 2026
Merged

Add SBOM, Cosign signature, and SLSA provenance to releases#327
AndreyVMarkelov merged 1 commit into
dropbox:masterfrom
AndreyVMarkelov:feat/release-supply-chain-security

Conversation

@AndreyVMarkelov

@AndreyVMarkelov AndreyVMarkelov commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Generate SPDX SBOM via anchore/sbom-action and include it in release assets
  • Sign SHA256SUMS with Cosign (keyless Sigstore) producing SHA256SUMS.sigstore.json
  • Add SLSA Level 3 provenance attestation via slsa-github-generator
  • Document verification steps (cosign verify-blob + slsa-verifier) in README
  • Add --timeout usage guidance to automation docs
  • Include SBOM in SHA256SUMS checksum file

Test plan

  • Tag a test release and verify SBOM, sigstore bundle, and SLSA provenance are uploaded as assets
  • Verify cosign verify-blob succeeds against the signed SHA256SUMS
  • Verify slsa-verifier verify-artifact succeeds against a release tarball

Generate an SPDX SBOM, sign SHA256SUMS with Cosign (keyless via Sigstore),
and produce SLSA Level 3 provenance using slsa-github-generator. Document
verification steps in README and add --timeout guidance to automation docs.
@AndreyVMarkelov AndreyVMarkelov merged commit 01aadbf into dropbox:master Jul 4, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant