mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-17 11:57:12 +03:00
📖 Add .sigstore
bundles to Signed-Releases docs (#3922)
Signed-off-by: Chris Swan <478926+cpswan@users.noreply.github.com>
This commit is contained in:
parent
d55dbd12e6
commit
16b675953a
@ -594,7 +594,7 @@ Signed releases attest to the provenance of the artifact.
|
||||
This check looks for the following filenames in the project's last five
|
||||
[release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases):
|
||||
[*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
|
||||
*.sig, *.sign, [*.intoto.jsonl](https://slsa.dev).
|
||||
*.sig, *.sign, *.sigstore, [*.intoto.jsonl](https://slsa.dev).
|
||||
|
||||
If a signature is found in the assets for each release, a score of 8 is given.
|
||||
If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.
|
||||
|
@ -626,7 +626,7 @@ checks:
|
||||
This check looks for the following filenames in the project's last five
|
||||
[release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases):
|
||||
[*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
|
||||
*.sig, *.sign, [*.intoto.jsonl](https://slsa.dev).
|
||||
*.sig, *.sign, *.sigstore, [*.intoto.jsonl](https://slsa.dev).
|
||||
|
||||
If a signature is found in the assets for each release, a score of 8 is given.
|
||||
If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.
|
||||
|
Loading…
Reference in New Issue
Block a user