#!/usr/bin/env bash set -euo pipefail download-artifact() { curl -s -L -O ${ARTIFACT_URL} echo "Downloaded artifact '${ARTIFACT_FILENAME}'" } download-provenance() { curl -s -L -O ${PROVENANCE_URL} echo "Downloaded provenance '${PROVENANCE_FILENAME}'" } verify() { slsa-verifier verify-artifact --provenance-path ${PROVENANCE_FILENAME} ${ARTIFACT_FILENAME} --source-uri "github.com/${REPO}" --source-tag "v${VERSION}" } usage() { local USAGE USAGE=" Usage: $(basename "${0}") [OPTIONS] This scripts downloads the specified release from a GitHub repository and verifies it with the attached SLSA provenance. Options: -a ARTIFACT the artifact to download, e.g. macos-notarization-service -e EXTENSION the extension to use, default: .zip -r REPO the GitHub repo to use for download, format: owner/repo-name, e.g. eclipse-cbi/macos-notarization-service -v VERSION the release version to download, e.g. 1.2.0 -h show this help " echo "$USAGE" exit 1 } EXTENSION=".zip" while getopts ":a:e:r:v:" o; do case "${o}" in a) ARTIFACT=${OPTARG} ;; e) EXTENSION=${OPTARG} ;; r) REPO=${OPTARG} ;; v) VERSION=${OPTARG} ;; *) usage ;; esac done shift $((OPTIND-1)) if [ -z "${REPO-}" ] || [ -z "${VERSION-}" ] || [ -z "${ARTIFACT-}" ]; then usage fi echo "REPO = ${REPO}" echo "VERSION = ${VERSION}" echo "ARTIFACT = ${ARTIFACT}" ARTIFACT_FILENAME="${ARTIFACT}-${VERSION}${EXTENSION}" ARTIFACT_URL="https://github.com/${REPO}/releases/download/v${VERSION}/${ARTIFACT_FILENAME}" PROVENANCE_FILENAME="${ARTIFACT_FILENAME}.intoto.jsonl" PROVENANCE_URL="https://github.com/${REPO}/releases/download/v${VERSION}/${PROVENANCE_FILENAME}" download-artifact download-provenance verify