Halo: patch sign command for keyNo <= 3 (#241) #305
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Integrity check | |
| on: | |
| push: | |
| branches: | |
| - master | |
| schedule: | |
| - cron: '37 21 * * *' | |
| jobs: | |
| integrity_npmjs: | |
| name: Integrity check (npmjs) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 | |
| - name: Get latest version from npm | |
| id: get-latest-npm | |
| run: | | |
| curl -s -o "$RUNNER_TEMP/package-npm.json" https://registry.npmjs.org/@arx-research/libhalo/latest | |
| NPM_LATEST_VER=$(cat "$RUNNER_TEMP/package-npm.json" | jq --raw-output '.version' | tr -d '\n') | |
| NPM_HASH=$(cat "$RUNNER_TEMP/package-npm.json" | jq --raw-output '.dist.integrity' | tr -d '\n') | |
| echo "NPM_LATEST_VER=$NPM_LATEST_VER" >> $GITHUB_ENV | |
| echo "NPM_HASH=$NPM_HASH" >> $GITHUB_ENV | |
| - name: Check cosign signature | |
| run: | | |
| curl -s -o "$RUNNER_TEMP/release_info.json" https://api.github.com/repos/arx-research/libhalo/releases/tags/libhalo-v${NPM_LATEST_VER} | |
| COMMIT_HASH=$(cat "$RUNNER_TEMP/release_info.json" | jq --raw-output '.target_commitish' | tr -d '\n') | |
| curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${NPM_LATEST_VER}/libhalo-npm-hash.txt" | |
| curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.pem" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${NPM_LATEST_VER}/libhalo-npm-hash.txt-keyless.pem" | |
| curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.sig" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${NPM_LATEST_VER}/libhalo-npm-hash.txt-keyless.sig" | |
| cosign verify-blob \ | |
| --cert "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.pem" \ | |
| --signature "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.sig" \ | |
| --certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_lib.yml@refs/tags/libhalo-v${NPM_LATEST_VER}" \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --certificate-github-workflow-sha "$COMMIT_HASH" \ | |
| "$RUNNER_TEMP/libhalo-npm-hash.txt" | |
| echo "Verified ${NPM_LATEST_VER} with commit ID: ${COMMIT_HASH}" | |
| - name: Verify integrity hash on npmjs | |
| run: | | |
| OUR_HASH=$(cat "$RUNNER_TEMP/libhalo-npm-hash.txt" | tr -d '\n') | |
| echo "Our hash: $OUR_HASH" | |
| echo "NPM hash: $NPM_HASH" | |
| [[ "$NPM_HASH" == "$OUR_HASH" ]] | |
| integrity_gh: | |
| name: Integrity check (GitHub Packages) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| steps: | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 | |
| - name: Get latest version from npm | |
| id: get-latest-gh | |
| run: | | |
| curl -s -L -o "$RUNNER_TEMP/package-gh.json" \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| https://npm.pkg.github.com/@arx-research%2flibhalo | |
| GH_LATEST_VER=$(cat "$RUNNER_TEMP/package-gh.json" | jq --raw-output '.["dist-tags"].latest' | tr -d '\n') | |
| NPM_HASH=$(cat "$RUNNER_TEMP/package-gh.json" | jq --raw-output ".versions[\"${GH_LATEST_VER}\"].dist.integrity" | tr -d '\n') | |
| echo "GH_LATEST_VER=$GH_LATEST_VER" >> $GITHUB_ENV | |
| echo "NPM_HASH=$NPM_HASH" >> $GITHUB_ENV | |
| - name: Check cosign signature | |
| run: | | |
| curl -s -o "$RUNNER_TEMP/release_info.json" https://api.github.com/repos/arx-research/libhalo/releases/tags/libhalo-v${GH_LATEST_VER} | |
| COMMIT_HASH=$(cat "$RUNNER_TEMP/release_info.json" | jq --raw-output '.target_commitish' | tr -d '\n') | |
| curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${GH_LATEST_VER}/libhalo-npm-hash.txt" | |
| curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.pem" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${GH_LATEST_VER}/libhalo-npm-hash.txt-keyless.pem" | |
| curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.sig" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${GH_LATEST_VER}/libhalo-npm-hash.txt-keyless.sig" | |
| cosign verify-blob \ | |
| --cert "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.pem" \ | |
| --signature "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.sig" \ | |
| --certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_lib.yml@refs/tags/libhalo-v${GH_LATEST_VER}" \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --certificate-github-workflow-sha "$COMMIT_HASH" \ | |
| "$RUNNER_TEMP/libhalo-npm-hash.txt" | |
| echo "Verified ${GH_LATEST_VER} with commit ID: ${COMMIT_HASH}" | |
| - name: Verify integrity hash on npmjs | |
| run: | | |
| OUR_HASH=$(cat "$RUNNER_TEMP/libhalo-npm-hash.txt" | tr -d '\n') | |
| echo "Our hash: $OUR_HASH" | |
| echo "NPM hash: $NPM_HASH" | |
| [[ "$NPM_HASH" == "$OUR_HASH" ]] |