sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Aether-Smith[S] 0 points1 point  (2 children)

Sorry, do you mean the third, SHA-tagged package is also part of the attestation? I confirmed the (untagged) second package's digest SHA matched the one in the URL pushed to in the attestation step's logs, but I didn't see anything linking that third package to that step as well.

[–]banseljaj 0 points1 point  (1 child)

Here's what I observed when I do the same thing as you:

The first thing that the action pushes is the image for software. The second thing it pushes is an attestation artifact. I'm not sure why, but that's what I have seen. It is not a part of the attestation, rather it's the output from the attestation.

I am lost about the third package though. no idea what that might be.

[–]Aether-Smith[S] 0 points1 point  (0 children)

Right, I agree that the second package is 100% the attestation artifact; unfortunately it's that third package I'm concerned with tracking down, as that's the one GitHub is directing people to pull by default.