This project demonstrates signing artifacts using SignPath from GitHub Actions workflows.
Signing is invoked in the sign step of .github/workflows/build-and-sign.yml.
See github.com/SignPath/github-actions for a full documentation of SignPath actions.
This project demonstrates the following attempts to violate SignPath policies and how they are averted on the control plane:
- This step selects the appropriate signing policy depending on the branch name. The actual branch must match the branch condition of the selected signing policy. The
attempt-signing-releasebranch demonstrates how SignPath will detect incorrect attempts. - The
release/malicious-dllbranch demonstrates how SignPath will detect content-level violations of the artifact configuration.
To use this demo with your own SignPath subscription, you need to get access to SignPath's GitHub Actions preview. Please contact support@signpath.io.
- Fork this repository
- Uncheck Copy the main branch only
- In your SignPath organization, create a project with
- Slug:
Demo_Application - Repository URLs: Your forked GitHub repository, e.g.
https://github.com/my/github-actions-demo - Trusted Build Systems: Link GitHub Actions (Preview)
- Add the following artifact configuration as default: .signpath/artifact-configurations/default.xml
- Add a
test-signingsigning policy - Add a
release-signingsigning policy with origin verification enabled and restricted tomainandrelease/*branches
- Slug:
- Create an API token in SignPath and add it as a GitHub Actions secret
SIGNPATH_API_TOKEN(make sure the user is a submitter in your signing policies) - Add your SignPath Organization ID as a GitHub Actions variable
SIGNPATH_ORGANIZATION_ID(click your organization's name at the upper right corner) - Enable Actions for your GitHub repository