Add signature verification in monitoring mode#77
Merged
Conversation
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@carabiner.dev>
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@carabiner.dev>
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@carabiner.dev>
Contributor
Author
|
You can see a sample verified run here: https://github.com/puerco/lab/actions/runs/24020125360/job/70047252388 |
eed3si9n
reviewed
Apr 7, 2026
|
|
||
| - name: "Verify the sbt distribution signature" | ||
| id: "ampel-verify" | ||
| if: steps.cache-tool-dir.outputs.cache-hit != 'true' && steps.cache-dir.outputs.cache-hit != 'true' |
Member
There was a problem hiding this comment.
Thanks for the contribution! Would it be ok if we only ran this on Linux?
Contributor
Author
There was a problem hiding this comment.
Yes of course. I actually just pushed a commit to skip it on windows as it unearthed a windows bug upstream on billyfs: go-git/go-billy#194
Let me change the last commit to also skip MacOS
Contributor
Author
There was a problem hiding this comment.
OK, I've modified the workflow exception to only run on linux
(not that macos is not affected by the upstream bug )
This commit adds a skip verifying signatures on windows as we found a bug upstream handling paths on windows: go-git/go-billy#194 This will be removed once the patch flows down to AMPEL. We also skip MacOS for now. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
eed3si9n
approved these changes
Apr 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is the first PR on the plan to make the installer artifacts verifiable.
This PR adds another curl call to download the signature along with the sbt distribution and injects another step in the installer that verifies the signature with an off the shelf policy. We also temporarily embed the public key in the workflow to verify the binary, ideally we'll write a policy for the installer and keep it in another location.
To monitor things, the verification step is in monitoring mode for now, it will not fail the installation if the signature fails. We will enforce it once we observe it for a few days.