Conversation
- Add samoyed-release-public.key for artifact verification - Document key rotation policy in README.md - Include minor formatting improvements to README
- Add comprehensive GPG signing process for release artifacts - Implement artifact signing with ed25519 key - Generate and sign checksums file - Export and distribute public key with releases - Update release workflow with secure artifact handling Closes #36
This commit adds comprehensive verification documentation for AC36.4, covering: - Step-by-step verification instructions - Platform-specific guidance - Troubleshooting section - Security best practices - Detailed walkthrough of release signature verification process Note: AC36.5 remains in progress Partial progress on #36
… verification Implements additional security features in release.yml: - Add detailed signing audit logging - Implement signature verification job - Create security monitoring and alerting mechanism - Verify signature completeness for all release artifacts Closes #36
There was a problem hiding this comment.
Pull Request Overview
This PR introduces comprehensive GPG signing capabilities to the Samoyed project's release workflow, enhancing security through cryptographic verification of all release artifacts. The implementation adds automated signature generation, verification, and security monitoring to protect against supply chain attacks.
- Implements ed25519 GPG signing for all release binaries, checksums, and artifacts
- Adds automated signature verification and security monitoring jobs to detect missing signatures
- Provides extensive documentation for users to verify release authenticity across platforms
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .github/workflows/release.yml | Core implementation of GPG signing workflow with signature generation, verification jobs, and security monitoring |
| README.md | Comprehensive user documentation for signature verification including platform-specific instructions and troubleshooting |
| .github/workflows/samoyed-release-public.key | GPG public key file for signature verification |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
🔒 Security Audit Report✅ Security audit completed successfully No security report file found - likely no issues detected. Security audit performed by cargo-audit |
🔒 Security Audit Report❌ Error parsing audit report Could not parse security audit results. Check the logs for details. Security audit performed by cargo-audit |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
🔒 Security Audit Report❌ Error parsing audit report Could not parse security audit results. Check the logs for details. Security audit performed by cargo-audit |
Improvements:
- Replace hardcoded GPG key ID with ${{ vars.GPG_KEY_ID }}
- Replace hardcoded full GPG key ID with ${{ vars.FULL_GPG_KEY_ID }}
- Replace hardcoded GPG fingerprint with ${{ vars.GPG_FINGERPRINT }}
This change centralizes key management in GitHub repository variables,
improving security and maintainability of the release workflow.
behrangsa
force-pushed
the
feat/issue-36/signing-artifacts
branch
from
4bd07e6 to
9acbf67
Compare
🔒 Security Audit Report❌ Error parsing audit report Could not parse security audit results. Check the logs for details. Security audit performed by cargo-audit |
This pull request enhances the release workflow for the project by introducing robust GPG signing for all release artifacts, improving security and transparency. It adds automated steps for signing, verifying, and auditing release files, and introduces new jobs for post-release signature verification and security monitoring. Documentation is updated to reflect the new key rotation policy and security features.
Release Artifact Signing and Verification:
verify_signatures, automatically downloads release assets and verifies all signatures using the public key after each release.Security Monitoring and Alerting:
security_checkjob that audits the completeness of release signatures and assets, and triggers a GitHub issue alert if any required files are missing or invalid.Release Workflow Improvements:
Documentation Updates:
README.mddescribing the key rotation policy and how users will be notified of key changes.General Workflow Maintenance: