Signed release packages using Github artifact attestation (#1390)

egecetin · tigercosmos · web-flow · commit a677bfe663a6 · 2024-08-26T15:10:02.000+03:00
* Add attestation steps for packaging

* tab to spaces

* update permissions

* Update README for verify procedure

* fix

* version to commit hash

* update

* remove ubuntu 18.04

* move permissions

* should be package dir

* remove wildcard

* bump version str

* remove unnecessary id

* revert test version bump

* add link to attestation page

---------

Co-authored-by: Liu, An-Chi &lt;phy.tiger@gmail.com&gt;
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -22,6 +22,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     container: seladb/${{ matrix.image }}
     strategy:
       matrix:
@@ -68,6 +70,11 @@ jobs:
       - name: Package
         run: cmake --build "$BUILD_DIR" --target package
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        with:
+          subject-path: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.deb,${{ env.BUILD_DIR }}/*.rpm"
+
       - name: Upload binaries to release
         if: github.ref_type == 'tag'
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
@@ -81,6 +88,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     strategy:
       matrix:
         include:
@@ -103,19 +112,26 @@ jobs:
             cmake --build "$BUILD_DIR" -j 4
             cmake --build "$BUILD_DIR" --target package
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        with:
+          subject-path: "${{ env.BUILD_DIR }}/*.tar.gz"
+
       - name: Upload binaries to release
         if: github.ref_type == 'tag'
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           draft: true
           allowUpdates: true
           updateOnlyUnreleased: true
-          artifacts: ${{ env.BUILD_DIR }}/*.tar.gz
+          artifacts: "${{ env.BUILD_DIR }}/*.tar.gz"
 
   macos:
     runs-on: macos-14
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     strategy:
       matrix:
         xcode-version: [15.4, 14.3.1]
@@ -139,6 +155,11 @@ jobs:
       - name: Package
         run: cmake --build "$BUILD_DIR" --target package
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        with:
+          subject-path: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.pkg"
+
       - name: Upload binaries to release
         if: github.ref_type == 'tag'
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
@@ -152,6 +173,8 @@ jobs:
     runs-on: windows-latest
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     strategy:
       matrix:
         include:
@@ -202,14 +225,19 @@ jobs:
         shell: msys2 {0}
         run: cmake --build "$BUILD_DIR" --target package
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        with:
+          subject-path: "${{ env.BUILD_DIR }}/*.zip"
+
       - name: Upload binaries to release
         if: github.ref_type == 'tag'
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           draft: true
           allowUpdates: true
           updateOnlyUnreleased: true
-          artifacts: ${{ env.BUILD_DIR }}/*.zip
+          artifacts: "${{ env.BUILD_DIR }}/*.zip"
 
   visual-studio:
     strategy:
@@ -221,6 +249,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -244,14 +274,19 @@ jobs:
       - name: Package
         run: cmake --build "$env:BUILD_DIR" --config ${{ matrix.configuration }} --target package
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        with:
+          subject-path: "${{ env.BUILD_DIR }}/*.zip"
+
       - name: Upload binaries to release
         if: github.ref_type == 'tag'
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           draft: true
           allowUpdates: true
           updateOnlyUnreleased: true
-          artifacts: ${{ env.BUILD_DIR }}/*.zip
+          artifacts: "${{ env.BUILD_DIR }}/*.zip"
 
   android-build:
     strategy:
@@ -314,6 +349,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      attestations: write
+      id-token: write
 
     steps:
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -326,11 +363,17 @@ jobs:
           export PACKAGE_DIR=$(ls | grep pcapplusplus)
           echo "PACKAGE_DIR=$PACKAGE_DIR" >> $GITHUB_ENV
           tar cvf "${PACKAGE_DIR}.tar.gz" "${PACKAGE_DIR}"
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        with:
+          subject-path: "${{ env.PACKAGE_DIR }}.tar.gz"
+
       - name: Upload binaries to release
         if: github.ref_type == 'tag'
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           draft: true
           allowUpdates: true
           updateOnlyUnreleased: true
-          artifacts: ${{ env.PACKAGE_DIR }}.tar.gz
+          artifacts: "${{ env.PACKAGE_DIR }}.tar.gz"
diff --git a/README.md b/README.md
@@ -96,6 +96,20 @@ git clone https://github.com/seladb/PcapPlusPlus.git
 
 Follow the build instructions according to your platform in the [Build From Source](https://pcapplusplus.github.io/docs/install#build-from-source) page in PcapPlusPlus web-site.
 
+### Verify your packages
+
+PcapPlusPlus releases which newer than v23.09 are signed with GitHub attestation. All of the attestations can be found [here](https://github.com/seladb/PcapPlusPlus/attestations). You can verify the attestation of these packages with GitHub CLI. To verify packages you can follow the most recent instructions from [gh attestation verify](https://cli.github.com/manual/gh_attestation_verify). For simple instructions you can use the following command:
+
+```shell
+gh attestation verify <path-to-package-file> --repository seladb/PcapPlusPlus
+```
+
+and you should see the following output in your terminal:
+
+```shell
+✓ Verification succeeded!
+```
+
 ## Feature Overview
 
 - __Packet capture__ through an easy to use C++ wrapper for popular packet capture engines such as [libpcap](https://www.tcpdump.org/), [WinPcap](https://www.winpcap.org/), [Npcap](https://nmap.org/npcap/), [Intel DPDK](https://www.dpdk.org/), [eBPF AF_XDP](https://www.kernel.org/doc/html/next/networking/af_xdp.html), [ntop’s PF_RING](https://www.ntop.org/products/packet-capture/pf_ring/) and [raw sockets](https://en.wikipedia.org/wiki/Network_socket#Raw_socket) [[Learn more](https://pcapplusplus.github.io/docs/features#packet-capture)]
