Sentinel v0.7.0
Bigger release: dialog UX, supply-chain integrity, docs site
A substantial follow-up to v0.6.1: one user-discovered bug fix
(topgrade / paru showed sudo-rs instead of the originator), plus
seven items from a comparison sweep against Soteria, hyprpolkitagent,
cosmic-osd, polkit-kde-agent-1, lxqt-policykit, mate-polkit, and
agama. No config-format changes, no PAM stack changes — your
existing /etc/security/sentinel.conf and /etc/pam.d/polkit-1
keep working.
What changed
Dialog process names — final piece
v0.6.1 fixed sudo true (showed sudo-rs) and gparted (showed
bash). v0.7.0 closes the last common case:
-
sudo -v(cred-cache, used bytopgrade/paru/
aurutils) has no command after the wrapper, so
strip_elevation_prefixreturned empty and the dialog fell back
tosudo-rs. The PAM module now walks up to PPid in that case
and shows the user-facing originator (paru,topgrade, your
shell) in the dialog and audit log.Verified with
event=auth.allow ... process=paruafter running
topgrade.
Supply-chain: Sigstore artifact attestations
Every release artifact (deb, rpm, tarball, both arches) is now
accompanied by a Sigstore-signed attestation binding its sha256 to
the release.yml workflow run that produced it. Verify locally:
gh attestation verify sentinel_0.7.0-1_amd64.deb \
--repo atayozcan/sentinelDownstream packagers (AUR prepare() hooks, Debian / Fedora build
farms) can run this same command in their build pipeline. The
threat-model section of SECURITY.md documents what this guarantees.
Threat model written down
SECURITY.md now has an explicit Threat Model section: the two
trust boundaries (PAM module + per-user agent), what each one
trusts, what each will refuse, and why we deliberately don't ship
a systemd --user unit (would lose the compositor's sessionid).
Also notes the 2026 polkit-agent-helper-1 SUID-stripping that
Arch and Debian are rolling out — Sentinel's design isn't affected.
Docs site at https://atayozcan.github.io/sentinel/
The wiki content has been migrated into docs/ (mdBook), built and
deployed by .github/workflows/docs.yml to GitHub Pages. New
benefits:
- PR-reviewable docs (the wiki couldn't take PRs).
- Versioned with the code.
- Searchable.
- Edit-on-GitHub link on every page.
The old wiki is preserved as historical reference until v1.0.
REUSE / SPDX compliance
Every file in the repo carries an SPDX license header (or is mapped
by the new REUSE.toml). A reuse CI job enforces this on every
PR. New [![REUSE compliant]](https://api.reuse.software/info/github.com/atayozcan/sentinel)
badge in README; helps Debian / Fedora legal review and prevents
license drift as contributors add files.
OpenSSF Scorecard
New .github/workflows/scorecard.yml runs the OpenSSF Scorecard
weekly + on push, publishes results to scorecard.dev, and lands the
SARIF in the repo's Security tab. Badge in README. Sentinel was
already passing most of the checks (cargo-audit / cargo-deny,
dependabot, signed releases, branch protection); the badge just
makes the security posture legible.
Compositor compatibility issue template
New .github/ISSUE_TEMPLATE/compositor_compat.yml — structured
report form so users can contribute to the README compatibility
table directly. Dropdowns for compositor / result, fields for
distro / version / XDG_CURRENT_DESKTOP. Both "worked" and
"didn't work" reports are useful.
Agent integration test
crates/sentinel-polkit-agent/tests/agent_flow.rs drives the
session state machine (Allow / Deny / Timeout / cancel-drain)
end-to-end with mock helper + mock helper-1 via env-var test seams.
The agent crate now also exposes a library target so integration
tests can import session::run directly without spawning the
binary. New CI job agent-integration runs it on every PR.
Test coverage went from 100 → 102 cases. The full
python-dbusmock harness (covers the zbus dispatch + cookie
validation against real polkitd messages) is a v0.8 candidate.
Verify locally
sudo -v
journalctl -t pam_sentinel --since "1 minute ago" --no-pager \
| grep "event=auth"
# Should show `process=<your shell>` (or `process=topgrade`,
# `process=paru`, etc.) — not `process=sudo-rs`.
# Verify an artifact's attestation:
gh attestation verify sentinel_0.7.0-1_amd64.deb \
--repo atayozcan/sentinelSkipped from the comparison sweep (with rationale)
- zeroize / secrecy for password buffers: N/A — Sentinel is an
Allow/Deny dialog. No password input handled in-process; pam_unix
takes over the password prompt when our auth falls through. - systemd --user unit: would conflict with the deliberate XDG
autostart +X-systemd-skip=truedesign (sessionid mismatch).
Documented in the new threat-model section. - Existing NixOS module:
nix/module.nixwas already there; no
change needed.
Wiki
The wiki has been preserved as historical reference. New
contributions go to docs/ in the repo, deploy to
https://atayozcan.github.io/sentinel/.