From 54f83700bdfec5448d850014414fda35eeae0440 Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Fri, 29 Jul 2022 20:56:00 +0000
Subject: [PATCH 1/3] update

Signed-off-by: laurentsimon <laurentsimon@google.com>
---
 .github/workflows/build.yml | 24 ++++++++++++++++++++++++
 README.md                   |  8 ++++++++
 2 files changed, 32 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 36e1653c..6554bd70 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -23,6 +23,8 @@ env:
 
 jobs:
   build:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     runs-on: ubuntu-latest
     steps:
       -
@@ -100,6 +102,28 @@ jobs:
           draft: true
           files: ${{ env.RELEASE_OUT }}/*
 
+      - 
+        name: Generate provenance subject
+        id: hash
+        run: |
+          set -euo pipefail
+
+          cd ${{ env.RELEASE_OUT }}
+          sha256sum * > checksums
+
+          echo "::set-output name=hashes::$(cat checksums | base64 -w0)"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read   # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: true # Upload the generated provenance to release assets for releases for tags.
+
   buildkit-edge:
     runs-on: ubuntu-latest
     continue-on-error: true
diff --git a/README.md b/README.md
index 319c7689..8be9aff0 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,7 @@
 [![Build Status](https://img.shields.io/github/workflow/status/docker/buildx/build?label=build&logo=github&style=flat-square)](https://github.com/docker/buildx/actions?query=workflow%3Abuild)
 [![Go Report Card](https://goreportcard.com/badge/github.com/docker/buildx?style=flat-square)](https://goreportcard.com/report/github.com/docker/buildx)
 [![codecov](https://img.shields.io/codecov/c/github/docker/buildx?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/buildx)
+[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/images/gh-badge-level3.svg)
 
 `buildx` is a Docker CLI plugin for extended build capabilities with
 [BuildKit](https://github.com/moby/buildkit).
@@ -90,6 +91,13 @@ Docker Linux packages also include Docker Buildx when installed using the
 > instead. For Linux, we recommend that you follow the [instructions specific for your distribution](#linux-packages).
 
 You can also download the latest binary from the [GitHub releases page](https://github.com/docker/buildx/releases/latest).
+We generate [SLSA3 provenance](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a relase binary:
+1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation).
+2. Download the provenance file `attestation.intoto.jsonl`.
+3. Run:
+```shell
+slsa-verifier -artifact-path buildx-v1.darwin-amd64 -provenance attestation.intoto.jsonl -source github.com/docker/buildx -branch master
+```
 
 Rename the relevant binary and copy it to the destination matching your OS:
 

From 1dd17ac4cfd06035b3f0d20e626c0cf5fbd51309 Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Fri, 29 Jul 2022 20:57:32 +0000
Subject: [PATCH 2/3] update

Signed-off-by: laurentsimon <laurentsimon@google.com>
---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 8be9aff0..bd8177e1 100644
--- a/README.md
+++ b/README.md
@@ -93,10 +93,10 @@ Docker Linux packages also include Docker Buildx when installed using the
 You can also download the latest binary from the [GitHub releases page](https://github.com/docker/buildx/releases/latest).
 We generate [SLSA3 provenance](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a relase binary:
 1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation).
-2. Download the provenance file `attestation.intoto.jsonl`.
-3. Run:
+2. Download the provenance file `attestation.intoto.jsonl` from the [GitHub releases page](https://github.com/docker/buildx/releases/latest).
+3. Run the verifier:
 ```shell
-slsa-verifier -artifact-path buildx-v1.darwin-amd64 -provenance attestation.intoto.jsonl -source github.com/docker/buildx -branch master
+slsa-verifier -artifact-path <the-binary> -provenance attestation.intoto.jsonl -source github.com/docker/buildx -branch master
 ```
 
 Rename the relevant binary and copy it to the destination matching your OS:

From 0d802d0a7297932b5d25da668a1d4b9a0c3eef4c Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Fri, 29 Jul 2022 20:59:44 +0000
Subject: [PATCH 3/3] update

Signed-off-by: laurentsimon <laurentsimon@google.com>
---
 .github/workflows/build.yml | 2 +-
 README.md                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6554bd70..ad08b34b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -122,7 +122,7 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
     with:
       base64-subjects: "${{ needs.build.outputs.hashes }}"
-      upload-assets: true # Upload the generated provenance to release assets for releases for tags.
+      upload-assets: true # Upload the generated provenance to release assets for tags.
 
   buildkit-edge:
     runs-on: ubuntu-latest
diff --git a/README.md b/README.md
index bd8177e1..8388947f 100644
--- a/README.md
+++ b/README.md
@@ -91,7 +91,7 @@ Docker Linux packages also include Docker Buildx when installed using the
 > instead. For Linux, we recommend that you follow the [instructions specific for your distribution](#linux-packages).
 
 You can also download the latest binary from the [GitHub releases page](https://github.com/docker/buildx/releases/latest).
-We generate [SLSA3 provenance](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a relase binary:
+We generate [SLSA3 provenance](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a release binary:
 1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation).
 2. Download the provenance file `attestation.intoto.jsonl` from the [GitHub releases page](https://github.com/docker/buildx/releases/latest).
 3. Run the verifier: