ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-17 11:57:12 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

📖 Add .sigstore bundles to Signed-Releases docs (#3922)

Browse Source 
Signed-off-by: Chris Swan <478926+cpswan@users.noreply.github.com>
This commit is contained in:
Chris Swan 2024-03-05 17:57:59 +00:00 committed by GitHub
parent d55dbd12e6
commit 16b675953a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/checks.md
View File

@ -594,7 +594,7 @@ Signed releases attest to the provenance of the artifact.
This check looks for the following filenames in the project's last five
[release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases):
[*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
*.sig, *.sign, [*.intoto.jsonl](https://slsa.dev).
*.sig, *.sign, *.sigstore, [*.intoto.jsonl](https://slsa.dev).
If a signature is found in the assets for each release, a score of 8 is given.
If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.

2
docs/checks/internal/checks.yaml
View File

@ -626,7 +626,7 @@ checks:
This check looks for the following filenames in the project's last five
[release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases):
[*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
*.sig, *.sign, [*.intoto.jsonl](https://slsa.dev).
*.sig, *.sign, *.sigstore, [*.intoto.jsonl](https://slsa.dev).
If a signature is found in the assets for each release, a score of 8 is given.
If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.