PcapPlusPlus icon indicating copy to clipboard operation
PcapPlusPlus copied to clipboard
verified publisher icon seladb

Signed release packages using Github artifact attestation

Open egecetin opened this issue 1 year ago • 8 comments

Recently GitHub release public beta for artifact signing https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/. With this PR, generated artifacts should also generate .sigstore.json files to verify packages. It should be ready to review. Since I changed permissions from a PR, looks like write permissions prohibited. I can't find a way to tweak it to get passing result from CI.

Note: Unfortunately requires drop of Ubuntu 18.04 support because of node version

  • All attestations can be found in summaries: https://github.com/egecetin/PcapPlusPlus/actions/runs/9702477673
  • Example attestation page: https://github.com/egecetin/PcapPlusPlus/attestations/1193027
  • Example release page: https://github.com/egecetin/PcapPlusPlus/releases/tag/v24.1

egecetin avatar May 09 '24 09:05 egecetin

@seladb I updated this PR and finished work. Only need (or dependency) is #1408. After the merge of #1408 just need to test with Ubuntu 24.04 and Fedora 39 and it is ready to merge. You can review this PR when you have time for any change you might want.

egecetin avatar Jun 27 '24 19:06 egecetin

@egecetin we removed Ubuntu 18.04, do you think you can update the PR and resolve conflicts? If the PR is ready for review I can review it

seladb avatar Jul 06 '24 10:07 seladb

@seladb It is ready

egecetin avatar Jul 09 '24 14:07 egecetin

@egecetin seems the CI have some errors?

tigercosmos avatar Jul 09 '24 18:07 tigercosmos

@tigercosmos It is because of permissions. Since the write permissions set from a PR it prohibits the write permission so, it fails. You can check my master branch or run from my test tag https://github.com/egecetin/PcapPlusPlus/actions/runs/9858969300

egecetin avatar Jul 09 '24 20:07 egecetin

@tigercosmos It is because of permissions. Since the write permissions set from a PR it prohibits the write permission so, it fails. You can check my master branch or run from my test tag https://github.com/egecetin/PcapPlusPlus/actions/runs/9858969300

I see. it's cool!

tigercosmos avatar Jul 09 '24 20:07 tigercosmos

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 82.93%. Comparing base (fa22ff2) to head (5b6d817). Report is 2 commits behind head on dev.

Additional details and impacted files 
@@           Coverage Diff            @@
##              dev    #1390    +/-   ##
========================================
  Coverage   82.93%   82.93%            
========================================
  Files         273      273            
  Lines       46355    46355            
  Branches     9436     9308   -128     
========================================
  Hits        38445    38445            
- Misses       7056     7101    +45     
+ Partials      854      809    -45
Flag Coverage Δ
fedora39 74.56% <ø> (-0.01%) :arrow_down:
macos-12 80.89% <ø> (+0.02%) :arrow_up:
macos-13 80.31% <ø> (ø)
macos-14 80.23% <ø> (+0.01%) :arrow_up:
mingw32 71.43% <ø> (-0.01%) :arrow_down:
mingw64 71.42% <ø> (-0.01%) :arrow_down:
npcap 84.89% <ø> (-0.02%) :arrow_down:
rhel94 74.30% <ø> (-0.04%) :arrow_down:
ubuntu2004 57.91% <ø> (ø)
ubuntu2004-zstd 58.03% <ø> (ø)
ubuntu2204 74.26% <ø> (+0.02%) :arrow_up:
ubuntu2204-icpx 58.43% <ø> (-0.01%) :arrow_down:
ubuntu2404 74.53% <ø> (+0.03%) :arrow_up:
unittest 82.93% <ø> (ø)
windows-2019 84.92% <ø> (-0.03%) :arrow_down:
windows-2022 84.93% <ø> (-0.03%) :arrow_down:
winpcap 84.91% <ø> (ø)
xdp 49.29% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Aug 12 '24 05:08 codecov[bot]

@seladb This PR is also ready for review but what do you think about it? Merge before release or after release? It is nice to merge before release but I'm ok for both options since already have many changes for release and last release was long time ago...

egecetin avatar Aug 23 '24 20:08 egecetin

@seladb This PR is also ready for review but what do you think about it? Merge before release or after release? It is nice to merge before release but I'm ok for both options since already have many changes for release and last release was long time ago...

@egecetin I'm ok with merging this PR before the next release

seladb avatar Aug 25 '24 06:08 seladb

@seladb last test run: https://github.com/egecetin/PcapPlusPlus/actions/runs/10544926628

egecetin avatar Aug 25 '24 07:08 egecetin

@seladb last test run: https://github.com/egecetin/PcapPlusPlus/actions/runs/10544926628

Where are the packages created? This tag doesn't have any packages attached... 🤔

seladb avatar Aug 25 '24 07:08 seladb

It was draft. Released now

https://github.com/egecetin/PcapPlusPlus/releases/tag/v24.2

egecetin avatar Aug 25 '24 07:08 egecetin

It was draft. Released now

https://github.com/egecetin/PcapPlusPlus/releases/tag/v24.2

@egecetin I couldn't find the .sigstore.json file in the atrifacts 🤔

seladb avatar Aug 25 '24 07:08 seladb

@seladb I removed them because GitHub stores them in attestation tab already (Check here) For verifying there is no need to download .sigstore.json. In old commits I added them but then noticed a future problem. GitHub generates them as jsonl. This means that every attestation stored in lines of a file. If we add deb/rpm packaging support there will be more than one packages per platform. So we should distinguish sigstore files from lines and to do this we should add a script to parse which line corresponds to which package. GitHub do this automatically for us and store them in separate pages

egecetin avatar Aug 25 '24 07:08 egecetin