Skip to content

Latest commit

 

History

History
41 lines (29 loc) · 2.96 KB

README.md

File metadata and controls

41 lines (29 loc) · 2.96 KB

Using SignPath with GitHub Actions

This project demonstrates signing artifacts using SignPath from GitHub Actions workflows.

Signing is invoked in the sign step of .github/workflows/build-and-sign.yml.

See github.com/SignPath/github-actions for a full documentation of SignPath actions.

Policy demonstrations

This project demonstrates the following attempts to violate SignPath policies and how they are averted on the control plane:

  • This step selects the appropriate signing policy depending on the branch name. The actual branch must match the branch condition of the selected signing policy. The attempt-signing-release branch demonstrates how SignPath will detect incorrect attempts.
  • The release/malicious-dll branch demonstrates how SignPath will detect content-level violations of the artifact configuration.
  • The release/no-branch-rulesets branch demonstrates how SignPath can be configured to require certain branch ruleset rules.

Configuration

To use this demo with your own SignPath subscription, you need to get access to SignPath's GitHub Actions integration and have the branch ruleset restriction enabled and configured. Please contact support@signpath.io.

  • Fork this repository
    • Uncheck Copy the main branch only
  • In your SignPath organization, create a project with
    • Slug: Demo_Application
    • Repository URLs: Your forked GitHub repository, e.g. https://github.com/my/github-actions-extended-demo
    • Trusted Build Systems: Link GitHub.com
    • Add the following artifact configuration as default: .signpath/artifact-configurations/default.xml
    • Add a test-signing signing policy
    • Add a release-signing signing policy with origin verification enabled and restricted to main and release/* branches
  • Create an API token in SignPath and add it as a GitHub Actions secret SIGNPATH_API_TOKEN (make sure the user is a submitter in your signing policies)
  • Add your SignPath Organization ID as a GitHub Actions variable SIGNPATH_ORGANIZATION_ID (click your organization's name at the upper right corner)
  • For now, create an access token with metadata:read permissions on your repository and pass it as the extended-verification-token. (Note: this will be replaced by GitHub App access soon.)
  • Enable Actions for your GitHub repository