diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 38c7f0861..62e090d35 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,78 +1,131 @@ +name: Release + on: release: types: - published -name: release - -permissions: - # Needed to access the workflow's OIDC identity. - id-token: write - - # Needed to upload release assets. - contents: write - jobs: - pypi: - name: Build, sign and publish release to PyPI + build: + name: Build and sign artifacts + runs-on: ubuntu-latest + permissions: + id-token: write + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + steps: + - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf + + - uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a + + - name: deps + run: python -m pip install -U build + + - name: build + run: python -m build + + - name: sign + run: | + mkdir -p smoketest-artifacts + + # we smoke-test sigstore by installing each of the distributions + # we've built in a fresh environment and using each to sign and + # verify for itself, using the ambient OIDC identity + for dist in dist/*; do + dist_base="$(basename "${dist}")" + + python -m venv smoketest-env + + ./smoketest-env/bin/python -m pip install "${dist}" + + # NOTE: signing artifacts currently go in a separate directory, + # to avoid confusing the package uploader (which otherwise tries + # to upload them to PyPI and fails). Future versions of twine + # and the gh-action-pypi-publish action should support these artifacts. + ./smoketest-env/bin/python -m \ + sigstore sign "${dist}" \ + --output-signature smoketest-artifacts/"${dist_base}.sig" \ + --output-certificate smoketest-artifacts/"${dist_base}.crt" + + ./smoketest-env/bin/python -m \ + sigstore verify "${dist}" \ + --cert "smoketest-artifacts/${dist_base}.crt" \ + --signature "smoketest-artifacts/${dist_base}.sig" \ + --cert-oidc-issuer https://token.actions.githubusercontent.com + + rm -rf smoketest-env + done + + - name: Generate hashes for provenance + shell: bash + id: hash + run: | + # sha256sum generates sha256 hash for all artifacts. + # base64 -w0 encodes to base64 and outputs on a single line. + # sha256sum artifact1 artifact2 ... | base64 -w0 + echo "::set-output name=hashes::$(sha256sum ./dist/* | base64 -w0)" + + - name: Upload built packages + uses: actions/upload-artifact@v3 + with: + name: built-packages + path: ./dist/ + if-no-files-found: warn + + - name: Upload smoketest-artifacts + uses: actions/upload-artifact@v3 + with: + name: smoketest-artifacts + path: smoketest-artifacts/ + if-no-files-found: warn + + generate-provenance: + needs: [build] + name: Generate build provenance + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + # Currently this action needs to be referred by tag. More details at: + # https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 + with: + attestation-name: provenance-sigstore-${{ github.event.release.tag_name }}.intoto.jsonl + base64-subjects: "${{ needs.build.outputs.hashes }}" + upload-assets: true + + release-pypi: + needs: [build, generate-provenance] + runs-on: ubuntu-latest + permissions: {} + steps: + - name: Download artifacts diretories # goes to current working directory + uses: actions/download-artifact@v3 + + - name: publish + uses: pypa/gh-action-pypi-publish@717ba43cfbb0387f6ce311b169a825772f54d295 + with: + user: __token__ + password: ${{ secrets.PYPI_TOKEN }} + packages_dir: built-packages/ + + release-github: + needs: [build, generate-provenance] runs-on: ubuntu-latest + permissions: + # Needed to upload release assets. + contents: write steps: - - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf - - - uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a - - - name: deps - run: python -m pip install -U build - - - name: build - run: python -m build - - - name: sign - run: | - mkdir -p smoketest-artifacts - - # we smoke-test sigstore by installing each of the distributions - # we've built in a fresh environment and using each to sign and - # verify for itself, using the ambient OIDC identity - for dist in dist/*; do - dist_base="$(basename "${dist}")" - - python -m venv smoketest-env - - ./smoketest-env/bin/python -m pip install "${dist}" - - # NOTE: signing artifacts currently go in a separate directory, - # to avoid confusing the package uploader (which otherwise tries - # to upload them to PyPI and fails). Future versions of twine - # and the gh-action-pypi-publish action should support these artifacts. - ./smoketest-env/bin/python -m \ - sigstore sign "${dist}" \ - --output-signature smoketest-artifacts/"${dist_base}.sig" \ - --output-certificate smoketest-artifacts/"${dist_base}.crt" - - ./smoketest-env/bin/python -m \ - sigstore verify "${dist}" \ - --cert "smoketest-artifacts/${dist_base}.crt" \ - --signature "smoketest-artifacts/${dist_base}.sig" \ - --cert-oidc-issuer https://token.actions.githubusercontent.com \ - - rm -rf smoketest-env - done - - - name: publish - uses: pypa/gh-action-pypi-publish@717ba43cfbb0387f6ce311b169a825772f54d295 - with: - user: __token__ - password: ${{ secrets.PYPI_TOKEN }} - - - name: upload artifacts to github - # Confusingly, this action also supports updating releases, not - # just creating them. This is what we want here, since we've manually - # created the release that triggered the action. - uses: softprops/action-gh-release@v1 - with: - # dist/ contains the built packages, which smoketest-artifacts/ - # contains the signatures and certificates. - files: | - dist/* - smoketest-artifacts/* + - name: Download artifacts diretories # goes to current working directory + uses: actions/download-artifact@v3 + + - name: Upload artifacts to github + # Confusingly, this action also supports updating releases, not + # just creating them. This is what we want here, since we've manually + # created the release that triggered the action. + uses: softprops/action-gh-release@v1 + with: + # smoketest-artifacts/ contains the signatures and certificates. + files: | + built-packages/* + smoketest-artifacts/* diff --git a/README.md b/README.md index a236598a5..56abf4a4f 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ sigstore-python ![CI](https://github.com/sigstore/sigstore-python/workflows/CI/badge.svg) [![PyPI version](https://badge.fury.io/py/sigstore.svg)](https://pypi.org/project/sigstore) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sigstore/sigstore-python/badge)](https://api.securityscorecards.dev/projects/github.com/sigstore/sigstore-python) +[![SLSA](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/) ⚠️ This project is not ready for general-purpose use! ⚠️ @@ -305,6 +306,13 @@ Everyone interacting with this project is expected to follow the Should you discover any security issues, please refer to sigstore's [security process](https://github.com/sigstore/.github/blob/main/SECURITY.md). +### SLSA Provenance +This project emits a SLSA provenance on its release! This enables you to verify the integrity +of the downloaded artifacts and ensured that the binary's code really comes from this source code. + +To do so, please follow the instructions [here](https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance). + + ## Info `sigstore-python` is developed as part of the [`sigstore`](https://sigstore.dev) project.