Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate build provenance attestations #28

Closed
shenxianpeng opened this issue Jun 2, 2024 · 5 comments
Closed

Generate build provenance attestations #28

shenxianpeng opened this issue Jun 2, 2024 · 5 comments
Labels
enhancement New feature or request Stale

Comments

@shenxianpeng
Copy link
Contributor

shenxianpeng commented Jun 2, 2024

@shenxianpeng shenxianpeng added the enhancement New feature or request label Jun 2, 2024
@2bndy5
Copy link
Contributor

2bndy5 commented Jun 3, 2024

That last link was most helpful to me. I've never been too concerned about verifying "artifacts" that I download over the Internet.

Now that I have a better understanding of provenance attestation, my first thought was the static binaries we are distributing via clang-tools-pip use. This is where I'd start integrating proper attestation. Then we can use such attestation downstream in cpp-linter-action (or in clang-tools-pip itself)...

Pypi does not support any form of digital signing (that in aware of). Just last year, they dropped their support for PGP signatures.

@shenxianpeng
Copy link
Contributor Author

shenxianpeng commented Jun 3, 2024

To summarize your thoughts, we can at least start with this

maybe we do not need to verify attestation in cpp-linter-action because static binaries have verified in clang-tools-pip。

Digital signing seems to become a roadmap of Pypi pypi/warehouse#15871

Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the Stale label Nov 15, 2024
@2bndy5
Copy link
Contributor

2bndy5 commented Nov 15, 2024

This is complete anyway, right?

@shenxianpeng
Copy link
Contributor Author

shenxianpeng commented Nov 15, 2024

I removed - [ ] cpp-linter/clang-tools-static-binaries#24 from the above list since it already provides sha256 files and is not easy to switch GitHub attestations for now.

We have generated GitHub attestations for our Python package publish, so it is completed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request Stale
Projects
None yet
Development

No branches or pull requests

2 participants