AptiviJul 27, 2024

Attest Our Projects using GitHub Attestations

GitHub has announced the Attestations feature back at the start of May 2024 and has released it as a public beta available to all GitHub users on June 25th, 2024. This blog article explains how the GitHub Attestations feature works using the Sigstore software that signs and verifies the open-source program artifacts usually generated by the continuous integration system. Here, it’s known as GitHub Actions. This allows you to reduce the supply chain attacks and increase the security of the broader software ecosystem.

The latest version of GitHub CLI tool, that you can install easily from this website (some distros still haven’t updated this tool to a version that supports this feature), can be used to verify the file signature by comparing it to the available attestation list found in your GitHub account.

Our projects’ GitBook docs, such as Nitrocid KS, are updated to add a verification step involving a single command line, assuming that the GitHub CLI is installed to your distribution with at least version 2.49.0 or higher. To verify that you’ve downloaded the right copy from the Releases window of our project in GitHub, follow these steps that apply to all the projects that use the attestation system (currently, we only support attestations in applications, with possible archived library docs support coming later):

  • Install GH CLI 2.49.0 or higher.
  • Sign in to your GitHub account using gh auth login.
  • Run this command: gh attestation verify <version>-bin.zip --owner Aptivi, where <version> is a version of Nitrocid that you’ve downloaded.

    • If everything went OK, you should see the output similar to this:

    Loaded digest sha256:6030eb1eb660f336d8b070202c598e8f51e50c8b9ca9084f30aa8d40ecbb996f for file://0.1.0.10-bin-lite.zip Loaded 1 attestation from GitHub API ✓ Verification succeeded! sha256:6030eb1eb660f336d8b070202c598e8f51e50c8b9ca9084f30aa8d40ecbb996f was attested by: REPO PREDICATE_TYPE WORKFLOW Aptivi/NitrocidKS https://slsa.dev/provenance/v1 .github/workflows/prepdraft.yml@refs/tags/v0.1.0.10

    If you saw an output other than the above, like 404 errors as shown below, it’s possible that you either got a corrupt download, or you got a malicious download that is unverified by us.

    Loaded digest sha256:78fc7b18c2e5e2753934652d294456d11d8dadad6f638dedc31513c4570587a1 for file://0.1.0.10-bin-lite.zip ✗ Loading attestations from GitHub API failed Error: failed to fetch attestations from Aptivi: HTTP 404: Not Found (https://api.github.com/orgs/Aptivi/attestations/sha256:78fc7b18c2e5e2753934652d294456d11d8dadad6f638dedc31513c4570587a1?per_page=30)

    Tell us how it worked for you! Enjoy!

    #Net #Net6 #Net60 #NET7 #NET70 #NetCore #NetFramework #Attest #Attestation #Attestations #devops #GH #git #github #GitHubAttestation #githubActions #Programming #update #Verification #Verify