Skip to content

fix: harden release package verification#38

Merged
ebursztein merged 1 commit into
mainfrom
codex/release-verification-hardening
May 12, 2026
Merged

fix: harden release package verification#38
ebursztein merged 1 commit into
mainfrom
codex/release-verification-hardening

Conversation

@ebursztein
Copy link
Copy Markdown
Collaborator

@ebursztein ebursztein commented May 12, 2026

Summary

  • require the macOS release workflow to use a Developer ID Installer identity and block on pkgutil/Gatekeeper assessment after stapling
  • fix the Debian payload verifier for zstd members without embedded content sizes and cover it with tests
  • record the v1.1.1778542197 T12 release evidence and release-process skill notes

Verification

  • uv run --offline pytest tests/test_verify_deb_payload.py tests/test_release_workflow_policy.py -q
  • uv run --offline python scripts/verify_deb_payload.py /private/tmp/capsem-release-verify/Capsem_1.1.1778542197_amd64.deb /private/tmp/capsem-release-verify/Capsem_1.1.1778542197_arm64.deb --minisign-pubkey config/manifest-sign.pub
  • git diff --check

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented May 12, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.5%. Comparing base (d2a1de9) to head (d4d2bb3).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@          Coverage Diff          @@
##            main     #38   +/-   ##
=====================================
  Coverage   66.5%   66.5%           
=====================================
  Files        192     192           
  Lines      48822   48822           
  Branches   43974   43969    -5     
=====================================
  Hits       32496   32496           
  Misses     14899   14899           
  Partials    1427    1427
Flag Coverage Δ
integration 9.3% <ø> (ø)
unit 66.5% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
Network 95.8% <ø> (ø)
Security 85.4% <ø> (ø)
Tooling 76.0% <ø> (ø)
Monitoring 81.7% <ø> (ø)
Virtualization 68.9% <ø> (ø)
Runtime 60.5% <ø> (ø)
Daemon 59.7% <ø> (ø)
Service 38.3% <ø> (ø)
CLI 39.0% <ø> (ø)
MCP Server 23.7% <ø> (ø)
Gateway 76.2% <ø> (ø)
System Tray 72.6% <ø> (ø)
Guard 90.4% <ø> (ø)
UI 54.7% <ø> (ø)
Builder 88.6% <ø> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ebursztein ebursztein merged commit 0567326 into main May 12, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ebursztein @codecov-commenter