Skip to content

Sentinel v0.7.0

Choose a tag to compare

@github-actions github-actions released this 03 May 23:36

Bigger release: dialog UX, supply-chain integrity, docs site

A substantial follow-up to v0.6.1: one user-discovered bug fix
(topgrade / paru showed sudo-rs instead of the originator), plus
seven items from a comparison sweep against Soteria, hyprpolkitagent,
cosmic-osd, polkit-kde-agent-1, lxqt-policykit, mate-polkit, and
agama. No config-format changes, no PAM stack changes — your
existing /etc/security/sentinel.conf and /etc/pam.d/polkit-1
keep working.

What changed

Dialog process names — final piece

v0.6.1 fixed sudo true (showed sudo-rs) and gparted (showed
bash). v0.7.0 closes the last common case:

  • sudo -v (cred-cache, used by topgrade / paru /
    aurutils)
    has no command after the wrapper, so
    strip_elevation_prefix returned empty and the dialog fell back
    to sudo-rs. The PAM module now walks up to PPid in that case
    and shows the user-facing originator (paru, topgrade, your
    shell) in the dialog and audit log.

    Verified with event=auth.allow ... process=paru after running
    topgrade.

Supply-chain: Sigstore artifact attestations

Every release artifact (deb, rpm, tarball, both arches) is now
accompanied by a Sigstore-signed attestation binding its sha256 to
the release.yml workflow run that produced it. Verify locally:

gh attestation verify sentinel_0.7.0-1_amd64.deb \
    --repo atayozcan/sentinel

Downstream packagers (AUR prepare() hooks, Debian / Fedora build
farms) can run this same command in their build pipeline. The
threat-model section of SECURITY.md documents what this guarantees.

Threat model written down

SECURITY.md now has an explicit Threat Model section: the two
trust boundaries (PAM module + per-user agent), what each one
trusts, what each will refuse, and why we deliberately don't ship
a systemd --user unit (would lose the compositor's sessionid).
Also notes the 2026 polkit-agent-helper-1 SUID-stripping that
Arch and Debian are rolling out — Sentinel's design isn't affected.

Docs site at https://atayozcan.github.io/sentinel/

The wiki content has been migrated into docs/ (mdBook), built and
deployed by .github/workflows/docs.yml to GitHub Pages. New
benefits:

  • PR-reviewable docs (the wiki couldn't take PRs).
  • Versioned with the code.
  • Searchable.
  • Edit-on-GitHub link on every page.

The old wiki is preserved as historical reference until v1.0.

REUSE / SPDX compliance

Every file in the repo carries an SPDX license header (or is mapped
by the new REUSE.toml). A reuse CI job enforces this on every
PR. New [![REUSE compliant]](https://api.reuse.software/info/github.com/atayozcan/sentinel)
badge in README; helps Debian / Fedora legal review and prevents
license drift as contributors add files.

OpenSSF Scorecard

New .github/workflows/scorecard.yml runs the OpenSSF Scorecard
weekly + on push, publishes results to scorecard.dev, and lands the
SARIF in the repo's Security tab. Badge in README. Sentinel was
already passing most of the checks (cargo-audit / cargo-deny,
dependabot, signed releases, branch protection); the badge just
makes the security posture legible.

Compositor compatibility issue template

New .github/ISSUE_TEMPLATE/compositor_compat.yml — structured
report form so users can contribute to the README compatibility
table directly. Dropdowns for compositor / result, fields for
distro / version / XDG_CURRENT_DESKTOP. Both "worked" and
"didn't work" reports are useful.

Agent integration test

crates/sentinel-polkit-agent/tests/agent_flow.rs drives the
session state machine (Allow / Deny / Timeout / cancel-drain)
end-to-end with mock helper + mock helper-1 via env-var test seams.
The agent crate now also exposes a library target so integration
tests can import session::run directly without spawning the
binary. New CI job agent-integration runs it on every PR.

Test coverage went from 100 → 102 cases. The full
python-dbusmock harness (covers the zbus dispatch + cookie
validation against real polkitd messages) is a v0.8 candidate.

Verify locally

sudo -v
journalctl -t pam_sentinel --since "1 minute ago" --no-pager \
    | grep "event=auth"
# Should show `process=<your shell>` (or `process=topgrade`,
# `process=paru`, etc.) — not `process=sudo-rs`.

# Verify an artifact's attestation:
gh attestation verify sentinel_0.7.0-1_amd64.deb \
    --repo atayozcan/sentinel

Skipped from the comparison sweep (with rationale)

  • zeroize / secrecy for password buffers: N/A — Sentinel is an
    Allow/Deny dialog. No password input handled in-process; pam_unix
    takes over the password prompt when our auth falls through.
  • systemd --user unit: would conflict with the deliberate XDG
    autostart + X-systemd-skip=true design (sessionid mismatch).
    Documented in the new threat-model section.
  • Existing NixOS module: nix/module.nix was already there; no
    change needed.

Wiki

The wiki has been preserved as historical reference. New
contributions go to docs/ in the repo, deploy to
https://atayozcan.github.io/sentinel/.