From 4cfe07da8a79ede1445bf137d5e2085a7e8c7ad1 Mon Sep 17 00:00:00 2001
From: Enguerrand Allamel <enguerrand.allamel@ledger.fr>
Date: Mon, 2 Dec 2024 17:02:26 +0100
Subject: [PATCH] set to sha512

---
 .github/workflows/sigtstorejs.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/sigtstorejs.yaml b/.github/workflows/sigtstorejs.yaml
index c8ec53d..9a2cd46 100644
--- a/.github/workflows/sigtstorejs.yaml
+++ b/.github/workflows/sigtstorejs.yaml
@@ -20,7 +20,9 @@ jobs:
       - name: Generate dummy package
         run: npm pack
       - name: Generate provenance statement with package as attestation subject
-        run: npx @npmcli/provenance-cli generate aenguerrand-examplepackage12-0.4.0.tgz -o provenance-statement.json --subject-name="pkg:npm/%40aenguerrand/examplepackage12@0.4.0"
+        run: |
+          sha512=$(shasum -a 512 aenguerrand-examplepackage12-0.4.0.tgz | awk '{print $1}')
+          npx @npmcli/provenance-cli generate aenguerrand-examplepackage12-0.4.0.tgz -o provenance-statement.json --subject-name="pkg:npm/%40aenguerrand/examplepackage12@0.4.0" --subject-digest="$sha512"
       - name: Sign provenance statement
         run: npx @sigstore/cli attest ./provenance-statement.json -o provenance.sigstore.json
       - name: "Verify provenance statement (TODO: Verify source identity)"