feat: cache artifact signing command with Sigstore integration #244
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add comprehensive SLSA v0.2 provenance generation using in-toto libraries - Implement keyless signing with Sigstore integration - Create structured error handling for signing operations - Add GitHub Actions context validation and extraction - Support .att file format compatible with existing verification - Replace parallel signing approach with single-step generation and signing Co-authored-by: Ona <[email protected]>
- Implement leeway plumbing sign-cache command for secure artifact signing - Add --from-manifest flag to process build manifests from previous jobs - Support parallel artifact processing with WaitGroup coordination - Create adapter pattern for RemoteCache interface compatibility - Enable separation of build and signing concerns in CI workflows - Support GitHub Actions OIDC token-based keyless signing Co-authored-by: Ona <[email protected]>
- Add github.com/sigstore/sigstore-go v1.1.2 for keyless signing - Update in-toto libraries for SLSA v0.2 provenance generation - Upgrade AWS SDK and other dependencies to latest versions - Support GitHub Actions OIDC token integration Co-authored-by: Ona <[email protected]>
- Replace TODO placeholder with actual sigstore-go v1.1.2 API calls - Add proper DSSE format for SLSA attestations (application/vnd.in-toto+json) - Implement TUF-based trusted root and signing config fetching - Add dynamic Fulcio and Rekor service selection from signing config - Remove manual OIDC token handling, let sigstore-go handle GitHub OIDC automatically - Add comprehensive GitHub Actions environment validation (GITHUB_ACTIONS=true) - Replace placeholder attestation envelope with real Sigstore bundles - Improve error messages for better debugging in CI environments Fixes critical API usage issues identified in code review. Enables production keyless signing with GitHub OIDC tokens. Co-authored-by: Ona <[email protected]>
- Use getRemoteCacheFromEnv() instead of getRemoteCache(cmd) for cleaner interface - Remove unused imports (path/filepath, time) to clean up dependencies - Improve command interface consistency with other leeway commands Co-authored-by: Ona <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Adds the
leeway plumbing sign-cachecommand for signing cache artifacts with SLSA v0.2 attestations, completing the SLSA Level 3 implementation started in PR #242 and PR #243.Changes
sign-cachecommand: CLI for signing cache artifacts from manifest files.attfiles to S3 cacheBuilds on existing cache verification (PR #242) and in-flight checksumming (PR #243) to provide complete signing infrastructure for separated CI jobs.
Related Issue(s)
Completes SLSA Level 3 cache artifact signing implementation.
Fixes https://linear.app/ona-team/issue/CLC-1959/create-leeway-signing-command
How to test
Basic functionality: