Skip to content

Commit

Permalink
Replace the use of GPG release signatures with GitHub attestations (e…
Browse files Browse the repository at this point in the history 
…th-educators#193)
  • Loading branch information
@remyroy
remyroy authored Oct 16, 2024
1 parent 406b7f6 commit eb3a108
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 34 deletions.
20 changes: 2 additions & 18 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,31 +92,17 @@ jobs:
if: ${{ startsWith(matrix.os, 'macos-') }}
run: |
brew install coreutils
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
id: import-gpg-key
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
trust_level: 5
- name: List GPG keys
run: gpg -K
- name: Create archive, checksum and GPG signature (Linux & macOS)
- name: Create archive and checksum (Linux & macOS)
if: ${{ startsWith(matrix.os, 'ubuntu-') || startsWith(matrix.os, 'macos-') }}
env:
GPG_KEY_ID: ${{ steps.import-gpg-key.outputs.fingerprint }}
run: |
export ARCHIVE_FILE_NAME=${BUILD_FILE_NAME}.tar.gz
echo "ARCHIVE_FILE_NAME=${ARCHIVE_FILE_NAME}" >> "$GITHUB_ENV"
tar -zcvf ${ARCHIVE_FILE_NAME} ./${BUILD_FILE_NAME}
mkdir -p output/artifacts
cp ${ARCHIVE_FILE_NAME} output/artifacts
sha256sum ${ARCHIVE_FILE_NAME} | head -c 64 > output/artifacts/${ARCHIVE_FILE_NAME}.sha256
gpg --default-key ${GPG_KEY_ID} --sign --armor --output output/artifacts/${ARCHIVE_FILE_NAME}.asc --detach-sig ${ARCHIVE_FILE_NAME}
- name: Create archive, checksum and GPG signature (Windows)
- name: Create archive and checksum (Windows)
if: ${{ startsWith(matrix.os, 'windows-') }}
env:
GPG_KEY_ID: ${{ steps.import-gpg-key.outputs.fingerprint }}
run: |
$env:ZIP_FILE_NAME = ($env:BUILD_FILE_NAME + ".zip")
echo ("ZIP_FILE_NAME=" + $env:ZIP_FILE_NAME) | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
Expand All @@ -125,8 +111,6 @@ jobs:
copy $env:ZIP_FILE_NAME output\artifacts
$env:CHECKSUM_FILE_NAME_PATH = ("output\artifacts\" + $env:ZIP_FILE_NAME + ".sha256")
certUtil -hashfile $env:ZIP_FILE_NAME SHA256 | findstr /i /v "SHA256" | findstr /i /v "CertUtil" > $env:CHECKSUM_FILE_NAME_PATH
$env:SIGNATURE_FILE_NAME_PATH = ("output\artifacts\" + $env:ZIP_FILE_NAME + ".asc")
gpg --default-key $env:GPG_KEY_ID --sign --armor --output $env:SIGNATURE_FILE_NAME_PATH --detach-sig $env:ZIP_FILE_NAME
- name: Generate artifacts attestation (Linux & macOS)
if: ${{ startsWith(matrix.os, 'ubuntu-') || startsWith(matrix.os, 'macos-') }}
uses: actions/attest-build-provenance@v1
Expand Down
15 changes: 7 additions & 8 deletions docs/src/quick_setup.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,19 +27,18 @@ For other installation options, including building with python or virtualenv and

## Step 2: Verify the Installation

1. Make sure you have GPG installed.
1. Make sure you have [the GitHub CLI installed](https://cli.github.com/).

2. Make sure you have the `[email protected]` public key by running
```sh
gpg --keyserver keys.openpgp.org --search-keys '[email protected]'
```
2. Download [the associated attestation](https://github.com/eth-educators/ethstaker-deposit-cli/attestations) for the archive you downloaded in Step 1.

3. Verify the signature file against the corresponding file but be sure to replace the contents with the exact file name:
3. Verify the attestation file against the corresponding file but be sure to replace the contents with the exact file name:
```sh
gpg --verify staking_deposit-cli-***.asc staking_deposit-cli-***
gh attestation verify ethstaker_deposit-cli-*******-***.*** --owner eth-educators --bundle ./eth-educators-ethstaker-deposit-cli-attestation-*******.sigstore.json
```

4. You should see `Good signature from "EDC Security <[email protected]>"` in the output **otherwise do not continue**.
This step requires you to be online. If you want to perform this offline, follow [these instructions from GitHub](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline).

4. You should see `✓ Verification succeeded!` in the output **otherwise do not continue**.

## Step 3: Usage

Expand Down
14 changes: 6 additions & 8 deletions docs/src/release_process.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,15 +53,13 @@ Release assets were built using Github Actions and [this workflow run](https://g

# Binaries

Our binaries are signed with ethstaker-deposit-cli's PGP key: `54FA06FC0860FC0DCCC68E3ECE9FF2391DF26368` .

| System | Architecture | Binary | Checksum | PGP Signature |
| System | Architecture | Binary | Checksum | Attestation |
|---------|--------------|--------------------|------------------------|-----------------------|
| Windows | x86_64 | [ethstaker_deposit-cli-c840111-windows-amd64.zip](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-windows-amd64.zip) | [sha256](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-windows-amd64.zip.sha256) | [PGP Signature](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-windows-amd64.zip.asc) |
| macOS | x86_64 | [ethstaker_deposit-cli-c840111-darwin-amd64.tar.gz](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-darwin-amd64.tar.gz) | [sha256](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-darwin-amd64.tar.gz.sha256) | [PGP Signature](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-darwin-amd64.tar.gz.asc) |
| macOS | aarch64 | [ethstaker_deposit-cli-c840111-darwin-arm64.tar.gz](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-darwin-arm64.tar.gz) | [sha256](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-darwin-arm64.tar.gz.sha256) | [PGP Signature](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-darwin-arm64.tar.gz.asc) |
| Linux | x86_64 | [ethstaker_deposit-cli-c840111-linux-amd64.tar.gz](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-linux-amd64.tar.gz) | [sha256](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-linux-amd64.tar.gz.sha256) | [PGP Signature](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-linux-amd64.tar.gz.asc) |
| Linux | aarch64 | [ethstaker_deposit-cli-c840111-linux-arm64.tar.gz](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-linux-arm64.tar.gz) | [sha256](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-linux-arm64.tar.gz.sha256) | [PGP Signature](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-linux-arm64.tar.gz.asc) |
| Windows | x86_64 | [ethstaker_deposit-cli-c840111-windows-amd64.zip](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-windows-amd64.zip) | [sha256](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-windows-amd64.zip.sha256) | [Attestation](https://github.com/eth-educators/ethstaker-deposit-cli/attestations/2242278) |
| macOS | x86_64 | [ethstaker_deposit-cli-c840111-darwin-amd64.tar.gz](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-darwin-amd64.tar.gz) | [sha256](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-darwin-amd64.tar.gz.sha256) | [Attestation](https://github.com/eth-educators/ethstaker-deposit-cli/attestations/2242270) |
| macOS | aarch64 | [ethstaker_deposit-cli-c840111-darwin-arm64.tar.gz](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-darwin-arm64.tar.gz) | [sha256](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-darwin-arm64.tar.gz.sha256) | [Attestation](https://github.com/eth-educators/ethstaker-deposit-cli/attestations/2242259) |
| Linux | x86_64 | [ethstaker_deposit-cli-c840111-linux-amd64.tar.gz](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-linux-amd64.tar.gz) | [sha256](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-linux-amd64.tar.gz.sha256) | [Attestation](https://github.com/eth-educators/ethstaker-deposit-cli/attestations/2242267) |
| Linux | aarch64 | [ethstaker_deposit-cli-c840111-linux-arm64.tar.gz](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-linux-arm64.tar.gz) | [sha256](https://github.com/eth-educators/ethstaker-deposit-cli/releases/download/v0.1.0/ethstaker_deposit-cli-c840111-linux-arm64.tar.gz.sha256) | [Attestation](https://github.com/eth-educators/ethstaker-deposit-cli/attestations/2242273) |

# Docker image

Expand Down

0 comments on commit eb3a108

Please sign in to comment.