Skip to content

Add release atteststions #343

Closed
@orf

Description

@orf
Contributor

Hello!

First, thanks for this fantastic project - it’s a great help to the community and ecosystem at large.

I would like to suggest adding artifact attestations to the releases.

This would enable supply chain verification for these builds, and provide a layer of validation above just verifying the signature.

it’s pretty simple to add: just a single step, with no configuration or changes required in the binary itself.

what do you think?

Activity

zanieb

zanieb commented on Oct 8, 2024

@zanieb
Member

Yeah these seem reasonable, were you interested in contributing this?

orf

orf commented on Oct 8, 2024

@orf
ContributorAuthor
added a commit that references this issue on Oct 16, 2024
639bf61
chludwig-haufe

chludwig-haufe commented on Dec 16, 2024

@chludwig-haufe

I see there is an open PR #371, but no further activity. Is there anything blocking the creation of the attestations?

Since I didn't see this mentioned in the documentation: How is the integrity of the Python sources and dependencies used in the build verified?

indygreg

indygreg commented on Dec 16, 2024

@indygreg
Collaborator

We pin and verify the sha256 and file size of all downloaded assets. See downloads.py.

zanieb

zanieb commented on Dec 16, 2024

@zanieb
Member

@chludwig-haufe there's a blocking comment at #371 (comment)

orf

orf commented on Dec 16, 2024

@orf
ContributorAuthor

@chludwig-haufe there's a blocking comment at #371 (comment)

Yep! I have this PR in my backlog, but some personal stuff has come up.

We should indeed only attest on main (or anything that actually publishes), adding the relevant if: blocks should be all that is needed.

added a commit that references this issue on Jan 10, 2025
e1deaa1
zanieb

zanieb commented on Jan 15, 2025

@zanieb
Member

I presume we need to attest the artifacts in .github/workflows/release.yml too? We create several derived artifacts.

chludwig-haufe

chludwig-haufe commented on Jan 17, 2025

@chludwig-haufe

Please pardon my ignorance (I am not an active user of GitHub actions) – but Verifying artifact attestations with the GitHub CLI made me assume I could verify the integrity of a downloaded package as follows:

$ curl -LO https://github.com/astral-sh/python-build-standalone/releases/download/20250115/cpython-3.10.16+20250115-aarch64-apple-darwin-install_only.tar.gz
$ export GH_TOKEN="GitHub personal access token w/ read privileges"
$ gh attestation verify cpython-3.10.16+20250115-aarch64-apple-darwin-install_only.tar.gz -R astral-sh/python-build-standalone
Loaded digest sha256:21dba90e7a0b879fdc475411fc8c39e0567c6f5c92112956b63de7f83ee433ad for file://cpython-3.10.16+20250115-aarch64-apple-darwin-install_only.tar.gz
✗ Loading attestations from GitHub API failed

Error: failed to fetch attestations from astral-sh/python-build-standalone: HTTP 404: Not Found (https://api.github.com/repos/astral-sh/python-build-standalone/attestations/sha256:21dba90e7a0b879fdc475411fc8c39e0567c6f5c92112956b63de7f83ee433ad?per_page=30)

What am I missing?

zanieb

zanieb commented on Jan 17, 2025

@zanieb
Member

The -install_only archives are derived, as I mentioned in #343 (comment)

11 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Participants

      @indygreg@orf@charliermarsh@zanieb@samypr100

      Issue actions

        Add release atteststions · Issue #343 · astral-sh/python-build-standalone