Sign all published files (#221)

* ci: Add attestation to SBOM * docs: Update the readme with instructions on verifying the signatures of the binary files * ci: Restrict the attestations to only be created when running within the main repo * ci: Update logic to detect forks
tektronix · May 21, 2024 · 70900c2 · 70900c2
1 parent 8fc68cf
commit 70900c2
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 1 deletion.
diff --git a/.github/workflows/package-build.yml b/.github/workflows/package-build.yml
@@ -30,7 +30,7 @@ jobs:
       - uses: hynek/[email protected]
         id: build-pkg
         with:
-          attest-build-provenance-github: 'true'
+          attest-build-provenance-github: ${{ !(github.event.pull_request.head.repo.fork || github.event.workflow_call.pull_request.head.repo.fork) && github.actor != 'dependabot[bot]' }}
       - name: Set up Python
         uses: actions/setup-python@v5
         with:

diff --git a/.github/workflows/sbom-scan.yml b/.github/workflows/sbom-scan.yml
@@ -14,6 +14,8 @@ jobs:
     permissions:
       security-events: write
       contents: write
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
@@ -28,6 +30,10 @@ jobs:
         with:
           format: spdx-json
           output-file: ${{ github.event.repository.name }}-sbom.spdx.json
+      - uses: actions/attest-build-provenance@v1
+        if: ${{ !(github.event.pull_request.head.repo.fork || github.event.workflow_call.pull_request.head.repo.fork) && github.actor != 'dependabot[bot]' }}
+        with:
+          subject-path: ${{ github.event.repository.name }}-sbom.spdx.json
       - name: Scan SBOM
         uses: anchore/scan-action@v3
         id: scan

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -22,6 +22,8 @@ Things to be included in the next release go here.
 
 - Added a new section in the documentation of each package/subpackage that shows the submodules (files) of that package/subpackage.
 - Added signed build provenance attestations to workflow artifacts for the built package.
+- Added signed build provenance attestations to the generated SBOMs.
+- Documentation was added explaining how to verify the attestations on uploaded files.
 
 ### Removed
 

diff --git a/README.md b/README.md
@@ -192,6 +192,18 @@ contributing to this project, you agree to abide by its terms.
 `tm_devices` was created by Tektronix. It is licensed under the terms of
 the [Apache License 2.0](https://tinyurl.com/tek-tm-devices/LICENSE.md).
 
+## Security
+
+The signatures of the files uploaded to [PyPI](https://pypi.org/project/tm-devices/) and each
+[GitHub Release](https://github.com/tektronix/tm_devices/releases) can be verified using
+the [GitHub CLI `attestation verify` command](https://cli.github.com/manual/gh_attestation_verify).
+The artifact attestations can also be directly downloaded from the
+[GitHub repo attestations page](https://github.com/tektronix/tm_devices/attestations) if desired.
+
+```shell
+gh attestation verify --owner tektronix <file>
+```
+
 ## Credits
 
 `tm_devices` was created with