Figure out how to sign for the default release assets #44

woodruffw · 2023-02-09T18:12:55Z

By default, GitHub Actions produces {tag}.tar.gz and {tag}.zip assets for each release.

These artifacts are generated on the fly, meaning that they can (and have) changed their contents (and thus digests) over time. This recently caused some significant breakage due to incorrect assumptions around that: https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/

Given that they can change, the correct thing for us to do here is probably to download the asset as it appears, sign for it, and then re-upload it to the release as a new asset: this will freeze it, meaning that the signature will remain correct.

The text was updated successfully, but these errors were encountered:

woodruffw · 2023-02-09T18:15:53Z

So, the individual items here:

Figure out how to download the "special" {tag}.tar.gz and {tag}.zip assets from a workflow that was triggered by the release: published event;
Sign for them;
Upload them back to the release, along with their signatures.

woodruffw · 2023-02-09T19:32:32Z

CC @tnytown: I can't assign you this since you're not an org member, but this is a good first issue to start with.

woodruffw added the enhancement New feature or request label Feb 9, 2023

tnytown mentioned this issue Feb 15, 2023

action: download default release assets to sign #46

Merged

woodruffw closed this as completed in #46 Feb 15, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Figure out how to sign for the default release assets #44

Figure out how to sign for the default release assets #44

woodruffw commented Feb 9, 2023

woodruffw commented Feb 9, 2023

woodruffw commented Feb 9, 2023

Figure out how to sign for the default release assets #44

Figure out how to sign for the default release assets #44

Comments

woodruffw commented Feb 9, 2023

woodruffw commented Feb 9, 2023

woodruffw commented Feb 9, 2023