Generate SLSA signatures for Released zip files (#7450)

* update * update * update * update * update * update * update
2026-06-10 15:16:28 +00:00 · 2022-08-16 16:30:37 -07:00
parent 1e0f75a647
commit 9610a666b1
2 changed files with 126 additions and 0 deletions
--- a/docs/source/Building.md
+++ b/docs/source/Building.md
@@ -61,6 +61,18 @@ You can download and install flatbuffers using the [vcpkg](https://github.com/Mi
 The flatbuffers port in vcpkg is kept up to date by Microsoft team members and community contributors.
 If the version is out of date, please [create an issue or pull request](https://github.com/Microsoft/vcpkg) on the vcpkg repository.

+## Downloading binaries
+You can download the binaries from the
+[GitHub release page](https://github.com/google/flatbuffers/releases).
+
+We generate [SLSA3 signatures](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). To verify the binaries:
+1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation)
+1. Download the file named `attestation.intoto.jsonl` from the GitHub release
+1. Run:
+```shell
+$ slsa-verifier -artifact-path <downloaded.zip> -provenance attestation.intoto.jsonl -source github.com/google/flatbuffers -tag <version>
+  PASSED: Verified SLSA provenance
+
 ## Building for Android

 There is a `flatbuffers/android` directory that contains all you need to build