Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Start publishing signature files for binaryen artifacts #6783

Open
liutikas opened this issue Jul 23, 2024 · 9 comments
Open

Start publishing signature files for binaryen artifacts #6783

liutikas opened this issue Jul 23, 2024 · 9 comments

Comments

@liutikas
Copy link

Request

Start publishing armored signature files for binaryen artifacts. E.g. for binaryen-version_118-aarch64-linux.tar.gz add binaryen-version_118-aarch64-linux.tar.gz.asc file so that the origin of this artchives can be validated.

Reasoning

Today releases for binaryen ship as tar.gz archives (e.g. binaryen-version_118-aarch64-linux.tar.gz). Kotlin Gradle Plugin uses binaryen for javascript multiplatform targets. It fetches these files from https://github.com/WebAssembly/binaryen/releases/download. Sadly, users that use Gradle signature verification have to allowlist binaryen artifacts because they are missing .asc signature files. Validating signatures allow consumers of binaryen to know they are getting artifacts from an expected source.

@liutikas
Copy link
Author

Here is an example of how users can currently allowlist it in their gradle/verification-metadata.xml

<?xml version="1.0" encoding="UTF-8"?>
<verification-metadata xmlns="https://schema.gradle.org/dependency-verification" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://schema.gradle.org/dependency-verification https://schema.gradle.org/dependency-verification/dependency-verification-1.3.xsd">
   <components>
      <component group="com.github.webassembly" name="binaryen" version="117">
         <artifact name="binaryen-117-x86_64-linux.tar.gz">
            <sha256 value="3dc677006555b355ea2da5e82602065a161d5e83eaefd3f759afa00b96e83212" origin="Generated by Gradle" reason="https://github.com/WebAssembly/binaryen/issues/6783"/>
         </artifact>
      </component>
   </components>
</verification-metadata>

@kripken
Copy link
Member

kripken commented Jul 24, 2024

I'm not familiar with this but it sounds like a good idea. A PR to add it to our releases would be very welcome.

@liutikas
Copy link
Author

I am sadly not a cmake expert, but what you'll want is create a pair of PGP keys (private and public one that get published to keyservers like https://keyserver.ubuntu.com/), then use that key to generate .asc files for the artifacts that already get created by your cmake build.

cmake really just needs to call gpg with the private key and the artifact tar.gz as arguments and write that out to .asc file.

https://github.com/scivision/cmake-gpg-sign

@mtb0x1
Copy link
Contributor

mtb0x1 commented Jul 29, 2024

cmake really just needs to call gpg with the private key and the artifact tar.gz as arguments and write that out to .asc file.

The thing here is you need to make sure the private key stays private, so one way is to create a new repo secret and use it. I am not a fan of this one, There is a risk of intended leaks and you need to watch out for dodgy commit around it.

Another way is to move the release ci to private infrastructure and eliminate reduce risks. (costly and defies transparency/opensource purpose)

@liutikas
Copy link
Author

What's used for release ci today? If it is GitHub actions, it already supports secrets and it filters them out from all the build logs if there is an accident leak.

Signing has a high value to be able to know the binaries have not been altered in transit.

@kripken
Copy link
Member

kripken commented Jul 30, 2024

What's used for release ci today?

GitHub actions, yes:

https://github.com/WebAssembly/binaryen/blob/main/.github/workflows/create_release.yml

@liutikas
Copy link
Author

Then adding a github secret and using that for signing should be fairly straight forward https://josh-ops.com/posts/storing-certificates-as-github-secrets/

@liutikas
Copy link
Author

liutikas commented Oct 9, 2024

Any updates here? We'd really like to see this.

@kripken
Copy link
Member

kripken commented Oct 9, 2024

I'm not aware of any work on this. I could find the time to look into the secrets part, but first it would be good to see a PR that does everything aside from that (as I have no idea where to begin there).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants