Skip to content

Add release atteststions #343

@orf

Description

@orf
Contributor

Hello!

First, thanks for this fantastic project - it’s a great help to the community and ecosystem at large.

I would like to suggest adding artifact attestations to the releases.

This would enable supply chain verification for these builds, and provide a layer of validation above just verifying the signature.

it’s pretty simple to add: just a single step, with no configuration or changes required in the binary itself.

what do you think?

Activity

zanieb

zanieb commented on Oct 8, 2024

@zanieb
Member

Yeah these seem reasonable, were you interested in contributing this?

orf

orf commented on Oct 8, 2024

@orf
ContributorAuthor
added a commit that references this issue on Oct 16, 2024
639bf61
chludwig-haufe

chludwig-haufe commented on Dec 16, 2024

@chludwig-haufe

I see there is an open PR #371, but no further activity. Is there anything blocking the creation of the attestations?

Since I didn't see this mentioned in the documentation: How is the integrity of the Python sources and dependencies used in the build verified?

indygreg

indygreg commented on Dec 16, 2024

@indygreg
Collaborator

We pin and verify the sha256 and file size of all downloaded assets. See downloads.py.

zanieb

zanieb commented on Dec 16, 2024

@zanieb
Member

@chludwig-haufe there's a blocking comment at #371 (comment)

orf

orf commented on Dec 16, 2024

@orf
ContributorAuthor

@chludwig-haufe there's a blocking comment at #371 (comment)

Yep! I have this PR in my backlog, but some personal stuff has come up.

We should indeed only attest on main (or anything that actually publishes), adding the relevant if: blocks should be all that is needed.

added a commit that references this issue on Jan 10, 2025
e1deaa1
zanieb

zanieb commented on Jan 15, 2025

@zanieb
Member

I presume we need to attest the artifacts in .github/workflows/release.yml too? We create several derived artifacts.

chludwig-haufe

chludwig-haufe commented on Jan 17, 2025

@chludwig-haufe

Please pardon my ignorance (I am not an active user of GitHub actions) – but Verifying artifact attestations with the GitHub CLI made me assume I could verify the integrity of a downloaded package as follows:

$ curl -LO https://github.com/astral-sh/python-build-standalone/releases/download/20250115/cpython-3.10.16+20250115-aarch64-apple-darwin-install_only.tar.gz
$ export GH_TOKEN="GitHub personal access token w/ read privileges"
$ gh attestation verify cpython-3.10.16+20250115-aarch64-apple-darwin-install_only.tar.gz -R astral-sh/python-build-standalone
Loaded digest sha256:21dba90e7a0b879fdc475411fc8c39e0567c6f5c92112956b63de7f83ee433ad for file://cpython-3.10.16+20250115-aarch64-apple-darwin-install_only.tar.gz
✗ Loading attestations from GitHub API failed

Error: failed to fetch attestations from astral-sh/python-build-standalone: HTTP 404: Not Found (https://api.github.com/repos/astral-sh/python-build-standalone/attestations/sha256:21dba90e7a0b879fdc475411fc8c39e0567c6f5c92112956b63de7f83ee433ad?per_page=30)

What am I missing?

zanieb

zanieb commented on Jan 17, 2025

@zanieb
Member

The -install_only archives are derived, as I mentioned in #343 (comment)

reopened this on Jan 17, 2025
zanieb

zanieb commented on Jan 17, 2025

@zanieb
Member

Let's just re-open this until we reach a point where these are validated as functional. cc @samypr100

chludwig-haufe

chludwig-haufe commented on Jan 18, 2025

@chludwig-haufe

The -install_only archives are derived, as I mentioned in #343 (comment)

Ah, I didn't make the connection that your comment referred to installable packages, too. I had assumed you meant SBOMs and similar metadata. (I am obviously not familiar with your build pipeline.) Thanks for the clarification.

chludwig-haufe

chludwig-haufe commented on Jan 19, 2025

@chludwig-haufe

I can verify, e..g., cpython-3.10.16+20250115-aarch64-apple-darwin-pgo+lto-full.tar.zst.
On the other hand, the verification of cpython-3.10.16+20250115-aarch64-unknown-linux-gnu-lto-full.tar.zst fails with a 404.

Looking at .github/workflows/linux.yml, I suspect the former artifact is generated by build-1 and the latter by build-0: build-1 includes a "Generate Attestation" step in line 326, whereas build-0 has no such step.

added a commit that references this issue on Jan 28, 2025
samypr100

samypr100 commented on Feb 14, 2025

@samypr100
Contributor

@chludwig-haufe can you try again on the latest release?

chludwig-haufe

chludwig-haufe commented on Feb 14, 2025

@chludwig-haufe

I downloaded and successfully verified all(?) 564 artifacts matching the shell pattern cpython*.tar.{gz,zst} - looks good!

Thanks!

zanieb

zanieb commented on Feb 14, 2025

@zanieb
Member

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Participants

      @indygreg@orf@charliermarsh@zanieb@samypr100

      Issue actions

        Add release atteststions · Issue #343 · astral-sh/python-build-standalone