-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use GitHub's Artifact Attestations #3128
Comments
I can take a look. |
Note to myself: update the TODO in the initial description Next: I was waiting for some pull requests in sigstore-java to be merged first. Some of them are! For example
@vlsi what do you think? Is about the right time to use the Gradle plugin to sign JUnit's artifacts in addition to the current PGP workflow? |
A critical PR is otherwise the generated bundle is just invalid as it misses That would be pretty good, however, you'll need to update |
Thanks for the quick reply, Vladimir! Updating the status of this issue accordingly. |
Wondering whether we can achieve the same effect (meaning, sign all JAR files) by using some GitHub Action after the build produced them? 🤔 Something similar to: junit5/.github/workflows/main.yml Line 68 in 700c2d4
|
Of course, you can sign all the jars, poms, and other files via Action. Here's the way you can generate signatures: https://github.com/sigstore/protobuf-specs/blob/16541696de137c6281d66d075a4924d9bbd181ff/java/scripts/sign_and_bundle_release.sh#L72 |
Just in case, the most secure approach would be signing the files within a separate GitHub workflow, so only well-known binaries have access to signing credentials (e.g. OIDC token). In other words:
I am afraid that sounds like a non-trivial GitHub Actions exercise. |
One more thing: there's https://github.com/slsa-framework/slsa-github-generator effort to come up with a reusable workflow for creating the attestations. |
The sad thing is that you launch Gradle with all the third-party plugins with Sonatype credentials. Recently GitHub improved "reusable workflows" part, so it might be that there's a possibility to come up with a reusable workflow that you just copy&paste and get "safe and secure" sign&push to Central. |
With https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/ we can achieve artitfact attestations by calling https://github.com/actions/attest-build-provenance for all our artifacts just before deployment. No build tool plugin is required - updating the issue title accordingly. |
Addresses part of #3128 --------- Co-authored-by: Marc Philipp <mail@marcphilipp.de>
I was just about to add these items to the description: TODO
But those could also go into dedicated issues. |
I think adding them to this issue is fine. I was just wondering what's left to do, if anything. |
In practice, you don't want allowing https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon exists exactly for the reason of avoiding At the same time, you probably want to attest the generated pom files as well |
Good to learn. Is there another way to guard against that? Like having a dedicated workflow build for attestation that only runs on behalf of the "junit-team"? Doesn't the following line already take care about that? junit5/.github/workflows/main.yml Line 77 in b3eb972
|
We'll start with JAR files for the time being. Otherwise, why stop with pom files and not include hash files, Gradle modules files, etc. Mind that every type is multiplied with 19 ... the number of published packages by the JUnit 5 project. As soon as Sonatype permits us to drop PGP/GPG for deployments to Maven Central and uses Sigstore-based attestations instead, we should consider generating attests for every and each file. |
The attestations attest hash of the file, so creating separate attestations for hash files sounds wasteful, and it adds no value.
I would suggest you keep publishing both PGP and Sigstore for backward compatibility reasons.
There's a cyclic dependency when signing metadata.
Having In the ideal world, we execute build without
As far as I know, Maven Central already supports uploading For instance, see check out |
Generate verify-able signed attestations for every artifact made with GitHub Actions.
Attestations do appear here:
TODO
id-token: write
for pull request buildsSNAPSHOT
JAR files to include the current git commit hash, likejunit-jupiter-5.11.0-SNAPSHOT+d8697a0.jar
for https://github.com/junit-team/junit5/attestations/1002406The text was updated successfully, but these errors were encountered: