Add release atteststions #343
Comments
|
Yeah these seem reasonable, were you interested in contributing this? |
|
Absolutely! I’m currently travelling and away from my laptop so it will have to be next week, but I can take a look at it when I’m back.
|
|
I see there is an open PR #371, but no further activity. Is there anything blocking the creation of the attestations? Since I didn't see this mentioned in the documentation: How is the integrity of the Python sources and dependencies used in the build verified? |
|
We pin and verify the sha256 and file size of all downloaded assets. See downloads.py. |
|
@chludwig-haufe there's a blocking comment at #371 (comment) |
Yep! I have this PR in my backlog, but some personal stuff has come up. We should indeed only attest on main (or anything that actually publishes), adding the relevant |
Follow up on feedback from #371 and the previous work from @orf which I cherry-picked. This adds build attestations for the builds using [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance). Closes #343 ### Test Plan Did a trial CI run which results in attestations like below for `cpython-3.10-aarch64-unknown-linux-gnu-lto` * https://github.com/samypr100/python-build-standalone/attestations/4246020 * https://search.sigstore.dev/?logIndex=160192732 Co-authored-by: Thomas Forbes <tom.forbes@gitguardian.com> Co-authored-by: Zanie Blue <contact@zanie.dev>
|
I presume we need to attest the artifacts in |
|
Please pardon my ignorance (I am not an active user of GitHub actions) – but Verifying artifact attestations with the GitHub CLI made me assume I could verify the integrity of a downloaded package as follows: $ curl -LO https://github.com/astral-sh/python-build-standalone/releases/download/20250115/cpython-3.10.16+20250115-aarch64-apple-darwin-install_only.tar.gz
$ export GH_TOKEN="GitHub personal access token w/ read privileges"
$ gh attestation verify cpython-3.10.16+20250115-aarch64-apple-darwin-install_only.tar.gz -R astral-sh/python-build-standalone
Loaded digest sha256:21dba90e7a0b879fdc475411fc8c39e0567c6f5c92112956b63de7f83ee433ad for file://cpython-3.10.16+20250115-aarch64-apple-darwin-install_only.tar.gz
✗ Loading attestations from GitHub API failed
Error: failed to fetch attestations from astral-sh/python-build-standalone: HTTP 404: Not Found (https://api.github.com/repos/astral-sh/python-build-standalone/attestations/sha256:21dba90e7a0b879fdc475411fc8c39e0567c6f5c92112956b63de7f83ee433ad?per_page=30)What am I missing? |
|
The |
|
Let's just re-open this until we reach a point where these are validated as functional. cc @samypr100 |
Ah, I didn't make the connection that your comment referred to installable packages, too. I had assumed you meant SBOMs and similar metadata. (I am obviously not familiar with your build pipeline.) Thanks for the clarification. |
|
I can verify, e..g., Looking at .github/workflows/linux.yml, I suspect the former artifact is generated by |
Per #343 (comment) * Adds attestations to build-0 of the linux matrix (due to recent refactor) * Adds attestations to release artifacts which include install only derived builds.
|
@chludwig-haufe can you try again on the latest release? |
|
I downloaded and successfully verified all(?) 564 artifacts matching the shell pattern Thanks! |
|
Thank you! |
Hello!
First, thanks for this fantastic project - it’s a great help to the community and ecosystem at large.
I would like to suggest adding artifact attestations to the releases.
This would enable supply chain verification for these builds, and provide a layer of validation above just verifying the signature.
it’s pretty simple to add: just a single step, with no configuration or changes required in the binary itself.
what do you think?
The text was updated successfully, but these errors were encountered: