security: cosign sign release tarballs, Docker image, and CycloneDX SBOM#518
Open
BryanFRD wants to merge 1 commit into
Open
security: cosign sign release tarballs, Docker image, and CycloneDX SBOM#518BryanFRD wants to merge 1 commit into
BryanFRD wants to merge 1 commit into
Conversation
Closes #510. ## What's signed - The 5 platform tarballs (linux-x64/arm64, darwin-x64/arm64, win32-x64) → .sig + .crt sidecars attached to the GitHub Release - The Docker image (ghcr.io/ferrlabs/ferrflow:latest + :vX.Y.Z) → Sigstore signature recorded in GHCR + Rekor - CycloneDX SBOM (sbom.cdx.json) → also signed via cosign ## How All keyless. The signing identity is the GitHub Actions OIDC workload identity: https://github.com/FerrLabs/FerrFlow/.github/workflows/publish.yml@refs/tags/vX.Y.Z recorded in the public Rekor transparency log. No private keys to manage or rotate. ## Verification Documented in docs/verifying-releases.md with copy-paste commands for cosign verify-blob (tarballs + SBOM) and cosign verify (Docker). ## Cost - +30s on the release workflow for the signing step - +1.5 min for cargo install cargo-cyclonedx (one-shot; could be cached via taiki-e/install-action if it becomes annoying) - SBOM size ~50-200 KB depending on dep count ## Why this matters Several compliance-focused customers asked for either SLSA provenance (already there via attest-build-provenance) or Sigstore signatures. This closes the second leg cheaply. SBOMs are increasingly a hard intake gate for vulnerability scanners (Grype, Trivy, JFrog Xray).
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Benchmark
Details
| Benchmark suite | Current: fa4ad9c | Previous: 0b5fe57 | Ratio |
|---|---|---|---|
changelog/build_50 |
6817 ns/iter (± 94) |
7955 ns/iter (± 147) |
0.86 |
changelog/build_500 |
60871 ns/iter (± 1690) |
68596 ns/iter (± 1303) |
0.89 |
This comment was automatically generated by workflow using github-action-benchmark.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #510. Independent of the Rust PR queue (#505 / #516 / #517) — only touches the publish workflow + docs.
What ships now
How
Keyless Sigstore — no private keys to manage. The signing identity is the workflow's OIDC token, recorded in the public Rekor log. Verification:
```bash
cosign verify-blob
--certificate ferrflow-linux-x64.tar.gz.crt
--signature ferrflow-linux-x64.tar.gz.sig
--certificate-identity-regexp "https://github.com/FerrLabs/FerrFlow/.*\"
--certificate-oidc-issuer https://token.actions.githubusercontent.com
ferrflow-linux-x64.tar.gz
```
Full user-facing guide in `docs/verifying-releases.md`.
Cost
Test plan