Open AdamKorcz opened 1 month ago
@haydentherapper Could you have a look?
So far, sigstore-go's releases have been source code only. With this workflow, sigstore-go will release binaries with attestation for these binaries. This might not be the way that users consume sigstore-go at the moment, and we should consider if we should add attestations for the source code instead.
This was intentional to only release source code archives. We want to discourage users using the sigstore-go CLIs - they are meant as examples for signing and verification.
I'd say we only need a provenance attestation on how the source archive was built.
I would also not recommend releasing any binaries by the reason @haydentherapper mentions.
Current status with https://github.com/sigstore/sigstore-go/pull/280/commits/c3d757f54b58e9c44edfc0ef15e712821f884b4c
Sample run: https://github.com/AdamKorcz/test-releasing/actions/runs/10564714125
I have adjusted the workflow so that it generates verifiable provenance for the compressed sigstore-go source archives.
The interoperability between the compressed source archives and https://github.com/actions/attest-build-provenance is not great (although there are many good things to say about https://github.com/actions/attest-build-provenance), so I've had to do some workarounds. The following areas lack support to make generating provenance for source archives simpler:
gh
binary will look up attestation based on the compressed archives checksum. git archive
. I have tried to reproduce the command that generate the archives, but I not been successful.With the current state of the workflow, users can download the sigstore-go source archives by any of the following ways and verify them. These are tested out on my own repo, so I am adding reproducible steps that succesfully verify. With the workflow in sigstore-go's own repo, the links would be https://github.com/sigstore/sigstore-go
instead of https://github.com/AdamKorcz/test-releasing
.
curl
(zipball)curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/AdamKorcz/test-releasing/zipball/v0.2.6 > artifact.zip
gh attestation verify artifact.zip --repo=AdamKorcz/test-releasing
Output:
Loaded digest sha256:22d5242aa2107d16920d2d3aeb9b4fd7b0d8992b0ebb604b21b190de1447c99e for file://artifact.zip
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:22d5242aa2107d16920d2d3aeb9b4fd7b0d8992b0ebb604b21b190de1447c99e was attested by:
REPO PREDICATE_TYPE WORKFLOW
AdamKorcz/test-releasing https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/v0.2.6
curl
(tarball)curl -L \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/AdamKorcz/test-releasing/tarball/v0.2.6 > artifact.tar.gz
gh attestation verify artifact.tar.gz --repo=AdamKorcz/test-releasing
Output:
Loaded digest sha256:6a2b5cf8671de291aad4fab2020341044905efa2a9e9f352ab82be1e7b394b9d for file://artifact.tar.gz
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:6a2b5cf8671de291aad4fab2020341044905efa2a9e9f352ab82be1e7b394b9d was attested by:
REPO PREDICATE_TYPE WORKFLOW
AdamKorcz/test-releasing https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/v0.2.6
wget archive/tags/REF
(zipball)wget https://github.com/AdamKorcz/test-releasing/archive/tags/v0.2.6.zip
gh attestation verify v0.2.6.zip --repo=AdamKorcz/test-releasing
Output:
Loaded digest sha256:dee47b879d1493dce252032f2793af459b43ba49fc966baf6843cdc8192bbb54 for file://v0.2.6.zip
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:dee47b879d1493dce252032f2793af459b43ba49fc966baf6843cdc8192bbb54 was attested by:
REPO PREDICATE_TYPE WORKFLOW
AdamKorcz/test-releasing https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/v0.2.6
wget archive/tags/REF
(tarball)wget https://github.com/AdamKorcz/test-releasing/archive/tags/v0.2.6.tar.gz
gh attestation verify v0.2.6.tar.gz --repo=AdamKorcz/test-releasing
Output:
Loaded digest sha256:4af7194a96f05a08189a5c0fc824bfcfacc8cbd0e5f9f37787727d513a3a91b7 for file://v0.2.6.tar.gz
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:4af7194a96f05a08189a5c0fc824bfcfacc8cbd0e5f9f37787727d513a3a91b7 was attested by:
REPO PREDICATE_TYPE WORKFLOW
AdamKorcz/test-releasing https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/v0.2.6
wget archive/refs/tags/REF
(zipball)Source code (tar.gz)
link from release pagewget https://github.com/AdamKorcz/test-releasing/archive/refs/tags/v0.2.6.zip
gh attestation verify v0.2.6.zip --repo=AdamKorcz/test-releasing
Output:
Loaded digest sha256:cfd47adfae74fbdeeebf1fee424317aef540e65875017b52296a473235fca973 for file://v0.2.6.zip
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:cfd47adfae74fbdeeebf1fee424317aef540e65875017b52296a473235fca973 was attested by:
REPO PREDICATE_TYPE WORKFLOW
AdamKorcz/test-releasing https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/v0.2.6
wget archive/refs/tags/REF
(tarball)Source code (zip)
link from release pagewget https://github.com/AdamKorcz/test-releasing/archive/refs/tags/v0.2.6.tar.gz
gh attestation verify v0.2.6.tar.gz --repo=AdamKorcz/test-releasing
Output:
Loaded digest sha256:4af7194a96f05a08189a5c0fc824bfcfacc8cbd0e5f9f37787727d513a3a91b7 for file://v0.2.6.tar.gz
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:4af7194a96f05a08189a5c0fc824bfcfacc8cbd0e5f9f37787727d513a3a91b7 was attested by:
REPO PREDICATE_TYPE WORKFLOW
AdamKorcz/test-releasing https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/v0.2.6
@haydentherapper @kommendorkapten I am keeping this in draft, but could you consider https://github.com/sigstore/sigstore-go/pull/280/commits/c3d757f54b58e9c44edfc0ef15e712821f884b4c and https://github.com/sigstore/sigstore-go/pull/280#issuecomment-2310823926
Summary
This adds a GitHub workflow for releasing the sigstore-go source code and provenance attestation.
For current status on this PR, see https://github.com/sigstore/sigstore-go/pull/280#issuecomment-2310823926
Old intro below kept for tracking. See https://github.com/sigstore/sigstore-go/pull/280#issuecomment-2310823926 for current status
Sample run: https://github.com/AdamKorcz/sigstore-go/actions/runs/10516249552
I have made a few decisions that need consideration:
make test
or should that be a separate workflow?dispatch
orpush
.The windows runner is giving me some problems which is why I am hardcoding the binary name:
It could be refactored to look nicer.
Release Note
Documentation