Skip to content

ci(release): sigstore keyless signing for SHA256SUMS + RELEASING.md#296

Merged
avrabe merged 1 commit into
mainfrom
ci/release-cosign-signing
May 17, 2026
Merged

ci(release): sigstore keyless signing for SHA256SUMS + RELEASING.md#296
avrabe merged 1 commit into
mainfrom
ci/release-cosign-signing

Conversation

@avrabe
Copy link
Copy Markdown
Contributor

@avrabe avrabe commented May 17, 2026

Summary

Supply-Chain-Pentester finding from the v0.10.0 adversarial review (SHA256SUMS was unsigned). Ships sigstore keyless OIDC signing — no long-lived signing key, no KMS provisioning, no rotation.

What changes

  • release.yml gets permissions.id-token: write (required for OIDC token).
  • New `Install cosign` + `Sign SHA256SUMS with cosign (keyless OIDC)` steps between checksum generation and release creation.
  • Emits three new release assets:
    • `SHA256SUMS.txt.cosign.bundle` — verifier-friendly single-file bundle (signature + cert + Rekor inclusion proof).
    • `SHA256SUMS.txt.sig` — detached signature.
    • `SHA256SUMS.txt.pem` — Fulcio-issued short-lived cert.
  • New `RELEASING.md` documenting verification flow, GPG tag-signing policy, explicit "NOT signed" scope.

Trust anchor

The cert's identity claim binds the signature to the GitHub-Actions workflow identity:

Verification (in `RELEASING.md`):
```bash
cosign verify-blob \
--bundle SHA256SUMS.txt.cosign.bundle \
--certificate-identity-regexp 'https://github.com/pulseengine/rivet/.github/workflows/release.yml@.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
SHA256SUMS.txt
sha256sum -c SHA256SUMS.txt --ignore-missing
```

What's NOT in this PR (deliberate)

  • Per-archive signatures (the signed `SHA256SUMS.txt` covers them transitively; consumers do the two-step verify).
  • VSIX signing — separate workstream.
  • attest-build-provenance on every archive — workflow already does it for the linux release binary in `ci.yml`; expansion to release.yml is a separate PR.
  • In-toto attestation bundle.

Test plan

  • Validate the workflow file parses (CI yaml-lint).
  • Push a test tag to a fork and verify the new artifacts appear on the release page.
  • Run `cosign verify-blob` against the published bundle to confirm the cert identity matches.

🤖 Generated with Claude Code

@avrabe @claude
ci(release): sigstore keyless signing for SHA256SUMS + RELEASING.md
d282c4a 
Supply-Chain-Pentester finding (v0.10.0 adversarial review):
SHA256SUMS shipped unsigned, so anyone who could replace a release
asset could also replace the checksum file. The dossier sold defect
detection (true) but quietly implied tamper detection (false).

Closes 80% of that gap with sigstore keyless OIDC — no long-lived
signing key, no KMS provisioning, no rotation. The trust anchor is
the GitHub-Actions workflow identity (issuer
`token.actions.githubusercontent.com`, subject
`.github/workflows/release.yml@refs/tags/vX.Y.Z`).

Workflow changes:
- `permissions.id-token: write` so the runner can request its OIDC
  token (required by cosign keyless flow).
- New `Install cosign` step (sigstore/cosign-installer@v3, v2.4.1).
- New `Sign SHA256SUMS with cosign (keyless OIDC)` step between
  checksum generation and release creation. Emits three artifacts:
  - `SHA256SUMS.txt.cosign.bundle` (verifier-friendly bundle)
  - `SHA256SUMS.txt.sig` (detached signature)
  - `SHA256SUMS.txt.pem` (Fulcio-issued short-lived cert)
- The existing `Collect assets` step's permissive `find` already
  picks up the new files; the release page will include them
  automatically.

New `RELEASING.md` documents:
- Why signed git tags matter + how to verify (`git tag -v`).
- What CI signs (and why sigstore keyless was chosen).
- How a consumer verifies a downloaded binary (two-step flow:
  cosign verify-blob on the bundle, then sha256sum -c).
- What is explicitly NOT signed at v0.10.0+ (binary archives
  transitively only, VSIX, compliance tarball, the maintainer's
  GPG keylist — for parity with the dossier §0 honest scope).
- The manual-republish procedure used for v0.10.0 (#294 context).

This addresses the Supply-Chain-Pentester's "one minimum primitive
that closes 80% of the gaps" recommendation. The remaining 20%
(per-archive signatures, VSIX signing, attestation in-toto bundle)
are separate workstreams.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented May 17, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@avrabe avrabe mentioned this pull request May 17, 2026
Open
4 tasks
@avrabe avrabe merged commit 2932166 into main May 17, 2026
16 of 38 checks passed
@avrabe avrabe deleted the ci/release-cosign-signing branch May 17, 2026 05:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@avrabe