New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(publish): provenance attestation #22573
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing work!
for (path, entry) in manifest.manifest { | ||
// Verify each path with the files in the tarball. | ||
let file = package | ||
.tarball | ||
.files | ||
.iter() | ||
.find(|f| f.path_str == path.as_str()); | ||
|
||
if let Some(file) = file { | ||
if file.hash != entry.checksum { | ||
bail!( | ||
"Checksum mismatch for {}: expected {}, got {}", | ||
path, | ||
entry.checksum, | ||
file.hash | ||
); | ||
} | ||
} else { | ||
bail!("File {} not found in the tarball", path); | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't check yet whether the registry removed a file (sorry to be picky)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great!
.arg( | ||
Arg::new("provenance") | ||
.long("provenance") | ||
.help("From CI/CD system, publicly links the package to where it was built and published from.") | ||
.action(ArgAction::SetTrue) | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can also do this in a follow up, but can we enable provenance by default when we are using GH OIDC for auth?
And then add a --no-provenance
option to force it off, and --provenance
option to force it on.
We can then also use --provenance
to do enable provenance for local publishes at some later date.
Supply chain security for JSR.