search

axodotdev / cargo-dist

📦 shippable application packaging
https://axodotdev.github.io/cargo-dist/
Apache License 2.0
1.33k stars 56 forks source link

sign binaries with sigstore #120

Open rgreinho opened 1 year ago

rgreinho commented 1 year ago

As a developer I would like to have the ability to sign the binaries I release.

This could be done using sigstore as they provide a fantastic keyless signing ecosystem (can use GitHub OIDC), as well as rust bindings sigstore-rs.

Gankra commented 1 year ago

possible dupe of #21

Gankra commented 1 year ago

(making this a more specific task)

passcod commented 1 year ago

Registering interest in this implementation as we're going to add support for checking sigstore in binstall in the near-but-not-defined future, so would be annoying if we were incompatible by accident

Gankra commented 1 year ago

With #243 done this is the next logical step for integrity/checksum/signing stuff but i'm definitely in "i have no idea what i'm doing" territory with sigstore

dunxen commented 1 year ago

With #243 done this is the next logical step for integrity/checksum/signing stuff but i'm definitely in "i have no idea what i'm doing" territory with sigstore

Although no releases yet, we started testing with cargo-dist before #243 went in. Unfortunately ended up modifying the generated workflow which I guess defeats the purpose of a feature of cargo-dist, but we ended up with something working with the cosign GH Action. We decided generating one checksum file and signing that was easier for us. Although not with GitHub OIDC as that's not available for plain blobs with cosign yet, just container images. So we had to generate a keypair using the approach here.

We definitely want to rework our workflow to align with what y'all decide to do as we'd like less moving parts (and not modifying generated workflows, although was just a hack for PoC). Happy to provide feedback too, and thanks for an awesome tool! :)

Our frankenflow: https://github.com/lndk-org/lndk/blob/5f0ed07eb3b669d6dec3edb1813b50f18e78bc6e/.github/workflows/release.yml#L134

passcod commented 1 year ago

FTR The design we're thinking of with binstall is to use the cosign (sign-blob and) verify-blob workflows (but in Rust, not through the CLI go tools) directly on the packages / archives / distributed artifacts, not on generated checksum files, as cosign already does the hashing internally and because that lets us verify from the files we're already downloading, rather than having to fetch an extra one. But awaiting more advice / consensus / free time before implementing :)

dunxen commented 1 year ago

as cosign already does the hashing internally and because that lets us verify from the files we're already downloading, rather than having to fetch an extra one.

Yeah that would be ideal. It's just that I was tied to wanting a single bundle, hence the single checksums, but honestly I don't see the point of that anyway as users generally want one blob so having one bundle per blob is fine 😅

But I did see some issue that they were considering having all the signatures in a single co-sign bundle which would be a nice optional feature.

dunxen commented 2 months ago

I don't have a ton of extra time, but I'm going to try integrating this on my fork via sigstore-rs at least for our workflow of managing the cosign key ourselves to sign the blobs and push the sig to the registry (i.e. no keyless blob signing). I'll comment my findings (if they're interesting). At some point (if someone doesn't have something nicer) I'd be happy to try go through the process of upstreaming it here.

passcod commented 2 months ago

Going to note that github has released this https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ which might simplify the story at least for github-actions.

dunxen commented 2 months ago

Going to note that github has released this https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

he, literally published yesterday! Thanks, this might be what we want so I'll look into it as well.

ashleygwilliams commented 2 months ago

hey folks! we would be super excited to have this upstreamed. to the extent that we'd be willing to pay/sponsor someone to do it. we don't have a ton, but this integration would be very useful. feel free to hop on the discord if that's of interest to you and we can chat about it!

dunxen commented 2 months ago

hey folks! we would be super excited to have this upstreamed. to the extent that we'd be willing to pay/sponsor someone to do it. we don't have a ton, but this integration would be very useful. feel free to hop on the discord if that's of interest to you and we can chat about it!

So getting GitHub Attestations integrated with cargo-dist is super easy. It can literally be a bool config and I've managed to do that successfully in an afternoon as it basically just modifies the release.yaml. I've also done a bit of work integrating with the sigstore-rs stuff and it doesn't seem too complicated (just more moving parts, but allows more flexibility).

I think it would be great to have both. GitHub Attestations is an easy and quick win, though!

I'll join the Discord to chat more :)