feat(release): sign release artifacts and add build provenance#395
Draft
joshua-temple wants to merge 1 commit into
Draft
feat(release): sign release artifacts and add build provenance#395joshua-temple wants to merge 1 commit into
joshua-temple wants to merge 1 commit into
Conversation
joshua-temple
force-pushed
the
feat/ossf-signed-releases
branch
from
7225c2a to
b7f5f89
Compare
joshua-temple
force-pushed
the
feat/ossf-signed-releases
branch
from
b7f5f89 to
d96c849
Compare
Signed-off-by: Joshua Temple <joshua.temple@stablekernel.com>
joshua-temple
force-pushed
the
feat/ossf-signed-releases
branch
from
d96c849 to
868951f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
cascade publishes GitHub Releases via GoReleaser but attaches no signatures, no SBOM, and no build provenance, and the build is not reproducible (release ldflags embed a wall-clock timestamp). This blocks the OpenSSF Scorecard Signed-Releases check and the OpenSSF Best Practices
signed_releasesandbuild_reproduciblecriteria.Fix
-trimpath, setmod_timestampto the commit timestamp, and switch the embedded date ldflag from build time to the commit date.checksums.txt, emitting.sigand.pemas release assets.checksums.txt(.asc) using a passphraseless release key imported from theCASCADE_RELEASE_GPG_KEYrepo secret. The public key is published atdocs/cascade-release-public-key.asc.actions/attest-build-provenance, verifiable withgh attestation verify.id-token: write,attestations: writeonly on the release job).docs/release-verification.md: how to verify cosign, GPG, and provenance, and how to reproduce the build.All new actions are SHA-pinned and verified to resolve.
Verification
go build ./...,go test ./...,golangci-lint run ./...all pass.goreleaser checkvalid;actionlintclean on the workflow.Maintainer setup (done)
The signing key is provisioned: a passphraseless RSA-4096 key is generated, the
CASCADE_RELEASE_GPG_KEYandCASCADE_RELEASE_GPG_FINGERPRINTrepo secrets are set, and the public key is committed atdocs/cascade-release-public-key.asc. The key has no passphrase by design (a passphrase would live as a repo secret in the same trust boundary), and is disposable: regenerate and republish the public key if needed.Note on Scorecard score
cosign
.sig/.pemand GPG.ascship as release assets, satisfying Signed-Releases (signature credit). Build provenance is stored in GitHub's attestation API rather than as a.intoto.jsonlrelease asset; reaching the full provenance credit would require a tag-pinned generator that conflicts with SHA-pinning, so it is intentionally not pursued.