This project demonstrates signing artifacts using SignPath from GitHub Actions workflows.
Signing is invoked in the sign
step of .github/workflows/build-and-sign.yml.
See github.com/SignPath/github-actions for a full documentation of SignPath actions.
This project demonstrates the following attempts to violate SignPath policies and how they are averted on the control plane:
- This step selects the appropriate signing policy depending on the branch name. The actual branch must match the branch condition of the selected signing policy. The
attempt-signing-release
branch demonstrates how SignPath will detect incorrect attempts. - The
release/malicious-dll
branch demonstrates how SignPath will detect content-level violations of the artifact configuration. - The [
release/no-branch-rulesets
] branch demonstrates how SignPath can be configured to require certain branch ruleset rules.
To use this demo with your own SignPath subscription, you need to get access to SignPath's GitHub Actions integration and have the branch ruleset restriction enabled and configured. Please contact support@signpath.io.
- Fork this repository
- Uncheck Copy the main branch only
- In your SignPath organization, create a project with
- Slug:
Demo_Application
- Repository URLs: Your forked GitHub repository, e.g.
https://github.com/my/github-actions-extended-demo
- Trusted Build Systems: Link GitHub.com
- Add the following artifact configuration as default: .signpath/artifact-configurations/default.xml
- Add a
test-signing
signing policy - Add a
release-signing
signing policy with origin verification enabled and restricted tomain
andrelease/*
branches
- Slug:
- Create an API token in SignPath and add it as a GitHub Actions secret
SIGNPATH_API_TOKEN
(make sure the user is a submitter in your signing policies) - Add your SignPath Organization ID as a GitHub Actions variable
SIGNPATH_ORGANIZATION_ID
(click your organization's name at the upper right corner) - For now, create an access token with
metadata:read
permissions on your repository and pass it as theextended-verification-token
. (Note: this will be replaced by GitHub App access soon.) - Enable Actions for your GitHub repository