Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate build provenance attestations #28

Closed
shenxianpeng opened this issue Jun 2, 2024 · 5 comments
Closed

Generate build provenance attestations #28

shenxianpeng opened this issue Jun 2, 2024 · 5 comments
Labels
enhancement New feature or request Stale

Comments

@shenxianpeng
Copy link
Contributor

shenxianpeng commented Jun 2, 2024
edited
Loading

It looks like GitHub rolled out their own attestations in beta. I wonder if we could integrate with that. for more details below:
@shenxianpeng shenxianpeng added the enhancement New feature or request label Jun 2, 2024
@2bndy5
Copy link
Contributor

2bndy5 commented Jun 3, 2024
edited
Loading

That last link was most helpful to me. I've never been too concerned about verifying "artifacts" that I download over the Internet.

Now that I have a better understanding of provenance attestation, my first thought was the static binaries we are distributing via clang-tools-pip use. This is where I'd start integrating proper attestation. Then we can use such attestation downstream in cpp-linter-action (or in clang-tools-pip itself)...

Pypi does not support any form of digital signing (that in aware of). Just last year, they dropped their support for PGP signatures.

@shenxianpeng
Copy link
Contributor Author

shenxianpeng commented Jun 3, 2024
edited
Loading

To summarize your thoughts, we can at least start with this

maybe we do not need to verify attestation in cpp-linter-action because static binaries have verified in clang-tools-pip。

Digital signing seems to become a roadmap of Pypi pypi/warehouse#15871

This was referenced Jun 3, 2024
Open
Closed
@shenxianpeng shenxianpeng changed the title Create action for generating build provenance attestations Generate build provenance attestations Jun 11, 2024
shenxianpeng added a commit that referenced this issue Jun 11, 2024
@shenxianpeng
Update py-publish.yml to generate build provenance attestations
0e84011 
ref to #28
@shenxianpeng shenxianpeng mentioned this issue Jun 11, 2024
Merged
@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the Stale label Nov 15, 2024
@2bndy5
Copy link
Contributor

2bndy5 commented Nov 15, 2024

This is complete anyway, right?

@shenxianpeng
Copy link
Contributor Author

shenxianpeng commented Nov 15, 2024
edited
Loading

I removed - [ ] cpp-linter/clang-tools-static-binaries#24 from the above list since it already provides sha256 files and is not easy to switch GitHub attestations for now.

We have generated GitHub attestations for our Python package publish, so it is completed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shenxianpeng @2bndy5