🌱 Add cryptographic verification of release signatures #4902
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… attestations This PR enhances the Signed-Releases check to cryptographically verify signatures and provenance attestations instead of just detecting their presence. The implementation adds support for verifying releases from GitHub, Maven Central, and PyPI supporting multiple cryptographic signature formats. Formats The PR adds supports for the formats: - Sigstore: Complete support for verifying Sigstore bundles with Fulcio certificates and Rekor transparency log entries using the `sigstore-go` library - GPG: Support for verifying detached GPG signatures (`.asc` files) using `ProtonMail/go-crypto`, which replaces the deprecated `golang.org/x/crypto/openpgp` - Minisign: Support for verifying Minisign signatures (`.minisig` files) Registries The PR adds support for verifying artifacts from the following distribution registries - Maven Central: Fetches JAR and POM artifacts along with their signatures, supporting both Sigstore (`.sigstore`) and GPG (`.asc`) signature files - PyPI: Uses the PEP 740 JSON-based simple API to fetch Sigstore attestation bundles for Python package distributions (wheels and source archives) Scoring Currently, the scoring is an initial starting point for considering this added feature - GitHub releases are scored using the original algorithm: 8 points for signed releases, 10 points for releases with provenance attestations - When Scorecard fails to verify an artifact that has been signed, the score is reduced by 1 point for each verification failure. This will only reduce the score the project has earned from signed releases. - For package-only projects (no GitHub releases), proportional scoring is used with a maximum score of 7 if any verification failures occur. New packages The PR adds a few new packages: - `checks/raw/signature`: Implements a unified verification interface with separate verifiers for Sigstore, GPG, and Minisign signatures - `checks/raw/registry`: Implements package manager integrations for Maven Central and PyPI with HTTP client interfaces for testability - Dependency injection pattern enables testing without network access New probes The PR adds new probes for whether signed artifacts can be verified. As such, the existing probes that track whether signed artifacts exist are still there. Over time I suppose the existing probes can be phased out, however IMO it is too big a step for now. - `releasesHaveVerifiedSignatures`: Reports on cryptographic verification results for package manager signatures - `releasesHaveVerifiedProvenance`: Reports on cryptographic verification results for package manager provenance attestations New dependencies: I have added the following dependencies. - github.com/sigstore/sigstore-go v1.1.4: Provides Sigstore bundle verification with trusted root fetching and certificate validation - github.com/ProtonMail/go-crypto v1.3.0: Actively maintained fork of the deprecated golang.org/x/crypto/openpgp for GPG operations Signed-off-by: Adam Korczynski <adam@adalogics.com>
AdamKorcz
had a problem deploying
to
integration-test
GitHub Actions
Failure
AdamKorcz
changed the title
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #4902 +/- ##
==========================================
+ Coverage 66.80% 67.93% +1.12%
==========================================
Files 230 261 +31
Lines 16602 16778 +176
==========================================
+ Hits 11091 11398 +307
+ Misses 4808 4486 -322
- Partials 703 894 +191 🚀 New features to boost your workflow:
|
|
This pull request has been marked stale because it has been open for 10 days with no activity |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR enhances the Signed-Releases check to cryptographically verify signatures and provenance attestations instead of just detecting their presence. The implementation adds support for verifying releases from GitHub, Maven Central, and PyPI supporting multiple cryptographic signature formats.
Formats
The PR adds supports for the formats:
sigstore-golibrary.ascfiles) usingProtonMail/go-crypto, which replaces the deprecatedgolang.org/x/crypto/openpgp.minisigfiles)Registries
The PR adds support for verifying artifacts from the following distribution registries
.sigstore) and GPG (.asc) signature filesScoring
Currently, the scoring is an initial starting point for considering this added feature. I think it needs some refinement.
GitHub releases are scored using the original algorithm: 8 points for signed releases, 10 points for releases with provenance attestations. When Scorecard fails to verify an artifact that has been signed, the score is reduced by 1 point for each verification failure. This will only reduce the score the project has earned from signed releases. For package-only projects (no GitHub releases), proportional scoring is used with a maximum score of 7 if any verification failures occur.
New packages
The PR adds a few new packages:
checks/raw/signature: Implements a unified verification interface with separate verifiers for Sigstore, GPG, and Minisign signatureschecks/raw/registry: Implements package manager integrations for Maven Central and PyPI with HTTP client interfaces for testabilityNew probes
The PR adds new probes for whether signed artifacts can be verified. As such, the existing probes that track whether signed artifacts exist are still there. Over time I suppose the existing probes can be phased out, however IMO it is too big a step for now.
releasesHaveVerifiedSignatures: Reports on cryptographic verification results for package manager signaturesreleasesHaveVerifiedProvenance: Reports on cryptographic verification results for package manager provenance attestationsNew dependencies:
I have added the following dependencies.
github.com/sigstore/sigstore-go v1.1.4: Provides Sigstore bundle verification with trusted root fetching and certificate validationgithub.com/ProtonMail/go-crypto v1.3.0: Actively maintained fork of the deprecated golang.org/x/crypto/openpgp for GPG operationsWhat kind of change does this PR introduce?
PR title follows the guidelines defined in our pull request documentation
Tests for the changes have been added (for bug fixes/features)
Which issue(s) this PR fixes
Special notes for your reviewer
Testing
Project with GitHub releases + Maven Central (GPG signatures)
Project with PyPI Sigstore attestations
Project with GitHub releases only
Project with mixed verification results
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note(In particular, describe what changes users might need to make in their
application as a result of this pull request.)