File slsa-verifier.spec of Package slsa-verifier

#
# spec file for package slsa-verifier
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#


Name:           slsa-verifier
Version:        2.7.1
Release:        0
Summary:        Verify provenance from SLSA compliant builders
License:        Apache-2.0
Group:          System/Management
URL:            https://github.com/slsa-framework/slsa-verifier
Source:         https://github.com/slsa-framework/slsa-verifier/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1:        vendor.tar.zst
BuildRequires:  golang-packaging
BuildRequires:  zstd
BuildRequires:  golang(API) >= 1.21

%description
slsa-verifier is a tool for verifying SLSA provenance that was generated by
CI/CD builders. slsa-verifier verifies the provenance by verifying the
cryptographic signatures on provenance to make sure it was created by the
expected builder. It then verifies that various values such as the builder id,
source code repository, ref (branch or tag) matches the expected values.

%prep
%autosetup -p1 -a1

%build
export CGO_ENABLED=1
go build -o slsa-verifier -mod=vendor -buildmode=pie -trimpath -ldflags "-s -w -X=main.version=%{version}" ./cli/slsa-verifier

%install
install -D -m 755 slsa-verifier %{buildroot}/%{_bindir}/%{name}

%files
%license LICENSE
%doc README.md
%{_bindir}/%{name}

%changelog