1+ name : Sign Existing Binaries
2+
3+ on :
4+ workflow_dispatch :
5+ push :
6+ paths :
7+ - ' releases/**'
8+ - ' src-tauri/target/release/*.exe'
9+ - ' src-tauri/target/release/bundle/**/*.msi'
10+ - ' src-tauri/target/release/bundle/**/*.msix'
11+
12+ permissions :
13+ id-token : write # Required for OIDC authentication with Sigstore
14+ contents : read # Required to read repository contents
15+
16+ jobs :
17+ sign-binaries :
18+ runs-on : ubuntu-latest
19+
20+ steps :
21+ - name : Checkout repository
22+ uses : actions/checkout@v4
23+
24+ - name : Install Cosign
25+ uses : sigstore/cosign-installer@v3
26+ with :
27+ cosign-release : ' v2.2.4'
28+
29+ - name : Find and sign executables
30+ run : |
31+ echo "🔍 Finding binaries to sign..."
32+
33+ # Find all exe files
34+ find . -name "*.exe" -type f | while read -r file; do
35+ if [ -f "$file" ]; then
36+ echo "🔐 Signing executable: $file"
37+ cosign sign-blob --yes "$file" --output-signature "${file}.sig" --output-certificate "${file}.crt"
38+ echo "✅ Signed: $file"
39+ fi
40+ done
41+
42+ # Find all MSI files
43+ find . -name "*.msi" -type f | while read -r file; do
44+ if [ -f "$file" ]; then
45+ echo "🔐 Signing MSI installer: $file"
46+ cosign sign-blob --yes "$file" --output-signature "${file}.sig" --output-certificate "${file}.crt"
47+ echo "✅ Signed: $file"
48+ fi
49+ done
50+
51+ # Find all MSIX files
52+ find . -name "*.msix" -type f | while read -r file; do
53+ if [ -f "$file" ]; then
54+ echo "🔐 Signing MSIX package: $file"
55+ cosign sign-blob --yes "$file" --output-signature "${file}.sig" --output-certificate "${file}.crt"
56+ echo "✅ Signed: $file"
57+ fi
58+ done
59+
60+ name : Generate attestations
61+ run : |
62+ echo "📋 Generating SLSA attestations..."
63+
64+ # Generate attestations for all signed files
65+ find . \( -name "*.exe" -o -name "*.msi" -o -name "*.msix" \) -type f | while read -r file; do
66+ if [ -f "$file" ]; then
67+ echo "📋 Generating attestation for: $file"
68+ cosign attest --yes --type slsaprovenance --predicate <(echo '{"buildType":"https://github.com/faratech/wfdiag/actions","builder":{"id":"https://github.com/actions/runner"},"materials":[{"uri":"git+https://github.com/faratech/wfdiag.git","digest":{"sha1":"'${{ github.sha }}'"}}]}') "$file"
69+ echo "✅ Attestation generated for: $file"
70+ fi
71+ done
72+
73+ name : Verify signatures
74+ run : |
75+ echo "🔍 Verifying all signatures..."
76+
77+ # Verify all signatures
78+ find . -name "*.sig" -type f | while read -r sigfile; do
79+ original="${sigfile%.sig}"
80+ cert="${original}.crt"
81+
82+ if [ -f "$original" ] && [ -f "$cert" ]; then
83+ echo "🔍 Verifying: $original"
84+ if cosign verify-blob --signature "$sigfile" --certificate "$cert" --certificate-identity-regexp "https://github.com/faratech/wfdiag" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" "$original"; then
85+ echo "✅ Verification successful: $original"
86+ else
87+ echo "❌ Verification failed: $original"
88+ exit 1
89+ fi
90+ fi
91+ done
92+
93+ name : Upload signature artifacts
94+ uses : actions/upload-artifact@v4
95+ with :
96+ name : sigstore-signatures
97+ path : |
98+ **/*.sig
99+ **/*.crt
100+ retention-days : 90
101+
102+ - name : Summary
103+ run : |
104+ echo "## 🔐 Sigstore Signing Summary" >> $GITHUB_STEP_SUMMARY
105+ echo "" >> $GITHUB_STEP_SUMMARY
106+ echo "### Signed Files:" >> $GITHUB_STEP_SUMMARY
107+ find . \( -name "*.exe" -o -name "*.msi" -o -name "*.msix" \) -type f | while read -r file; do
108+ size=$(stat -c%s "$file" 2>/dev/null || echo "unknown")
109+ echo "- \`$file\` (${size} bytes)" >> $GITHUB_STEP_SUMMARY
110+ done
111+ echo "" >> $GITHUB_STEP_SUMMARY
112+ echo "### Generated Artifacts:" >> $GITHUB_STEP_SUMMARY
113+ find . \( -name "*.sig" -o -name "*.crt" \) -type f | while read -r file; do
114+ echo "- \`$file\`" >> $GITHUB_STEP_SUMMARY
115+ done
116+ echo "" >> $GITHUB_STEP_SUMMARY
117+ echo "🎯 All binaries have been signed with Sigstore keyless signatures!"
0 commit comments