Skip to content

Commit

Permalink
Signed-Releases: really look for *.sign files (#1298)
Browse files Browse the repository at this point in the history
With this patch applied projects like dracut pass the check:
```
  "checks": [
    {
      "details": [
        "Debug: GitHub release found: 055",
        "Info: signed release artifact: dracut-055.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/37635937",
        "Debug: GitHub release found: 054",
        "Info: signed release artifact: dracut-054.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/36958052",
        "Debug: GitHub release found: 053",
        "Info: signed release artifact: dracut-053.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/32484038",
        "Debug: GitHub release found: 052",
        "Info: signed release artifact: dracut-052.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/32130796",
        "Debug: GitHub release found: 051",
        "Info: signed release artifact: dracut-051.tar.sign: https://api.github.com/repos/dracutdevs/dracut/releases/assets/31933850"
      ],
      "score": 10,
      "reason": "5 out of 5 artifacts are signed -- score normalized to 10",
      "name": "Signed-Releases",
```
  • Loading branch information
evverx authored Nov 20, 2021
1 parent 730076f commit 9d29765
Show file tree
Hide file tree
Showing 3 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion checks/signed_releases.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ const (
releaseLookBack = 5
)

var artifactExtensions = []string{".asc", ".minisig", ".sig"}
var artifactExtensions = []string{".asc", ".minisig", ".sig", ".sign"}

//nolint:gochecknoinits
func init() {
Expand Down
2 changes: 1 addition & 1 deletion docs/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -495,7 +495,7 @@ Signed releases attest to the provenance of the artifact.

This check looks for the following filenames in the project's last five
releases: [*.minisig ](https://github.com/jedisct1/minisign), *.asc (pgp),
*.sign.
*.sig, *.sign.

Note: The check does not verify the signatures.

Expand Down
2 changes: 1 addition & 1 deletion docs/checks/internal/checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -568,7 +568,7 @@ checks:
This check looks for the following filenames in the project's last five
releases: [*.minisig ](https://github.com/jedisct1/minisign), *.asc (pgp),
*.sign.
*.sig, *.sign.
Note: The check does not verify the signatures.
remediation:
Expand Down

0 comments on commit 9d29765

Please sign in to comment.