Qonfused
commented
2 months ago For release builds of MTGOSDK built in CI, we'll want to validate that the corresponding ClrMD assembly we're communicating with at runtime also came from there -- or from another build if re-using the same MTGO instance with another version of MTGOSDK.
There is still an open question about debug/non-release builds of the SDK, especially for integration testing in CI. It's easiest to disable this validation if the MTGOSDK assembly isn't attested, though this undermines the zero-trust model we're trying to implement.
Use Sigstore to sign build artifacts generated in CI, providing provenance for release artifacts and runtime assets. This is essentially a tamper-proof way of verifying that an artifact was actually built in our CI to verify it's identity. This is now available in GitHub Actions through a public beta of artifact attestations.
This isn't compatible with the Windows trust store for Authenticode, so we'll have to look into purchasing an EV certificate or using an OV certificate from SignPath. We'll have to wait and see whether GitHub is planning on offering a signed timestamp for Authenticode compatibility. Until then, we'll need to submit samples to Microsoft in order to gain reputation for SmartScreen (reference).