Description
Is your feature request related to a problem? Please describe.
I've recently updated my CI to attest the artifacts it generates using GitHub artifact attestations.
I've also started generating an SBOM and uploading it to the GitHub releases, which is also attested. However, because the SBOM doesn't include a signature it causes a score of 0 for the Signed-Releases.
Describe the solution you'd like
In conjunction with Releases now expose digests for release assets, if there is an attestation present for the file(s) in the attached to the release with the same name(s) and SHA(s) then it should be treated as signed.
Describe alternatives you've considered
Manually signing the files before attesting them and then uploading the additional signatures to the release.
Additional context
For example:
- Polly 8.6.1 has a
polly.spdx.jsonfile attached with a digest ofsha256:265836eddc37550260815610ed0118ca9dae5a544c5371f510cbef3287fc49e0.- For example, GET the release JSON
- GET the URL from
assets_url - The array contains an entry with a
nameofpolly.spdx.jsonand adigestofsha256:265836eddc37550260815610ed0118ca9dae5a544c5371f510cbef3287fc49e0.
- This matches this attestation which also contains
polly.spdx.jsonwith a digest ofsha256:265836eddc37550260815610ed0118ca9dae5a544c5371f510cbef3287fc49e0.- This can be checked as existing with a GET to
/users/App-vNext/attestations/sha256:265836eddc37550260815610ed0118ca9dae5a544c5371f510cbef3287fc49e0(needs authentication) - In this case, the
payloadTypeisapplication/vnd.in-toto+json.
- This can be checked as existing with a GET to
So as an example implementation:
- Get the release and read
assets_url - Get the assets JSON from that URL
- For each asset:
- Check whether
digesthas a value - If it does:
- Get
/users/{owner}/attestations/{digest}(requires a GitHub token)
- Get
- Check whether
- If all assets have a
digestand they all have an attestation, then give the check a non-zero score
Metadata
Metadata
Assignees
Labels
Type
Projects
Status