This repository demonstrates how SignPath validates GitHub rulesets and other policies.
- See .signpath/policies/release-signing.yml for the policy definition.
- See .github/workflows/sign.yml for the workflow definition.
SignPath checks that the policies have been applied to the given branch. On the releases/weaker-condition branch, the code scanning ruleset rule is not enforced. SignPath will not allow signing builds from that release.
For the releases/interrupted-condition branch, the ruleset has been temporarily disabled between 2024-12-12 11:07 UTC and 2024-12-23 09:07 UTC, allowing e.g. commits without code reviews. SignPath catches such interruptions and prevents the software from being signed.
Builds from the releases/fails-for-retry branch will always fail. When attempting to re-run it, SignPath will refuse to sign the software. SignPath can optionally prevent re-runs to avoid situations where old, vulnerable states of the software are re-built and signed.
For this repository to work it requires the following configurations
- An organization with the Trusted Build System GitHub.com configured
- A project with
- the slug
executable - the Trusted Build System linked
- an artifact configuration
zippedfor a<pe-file>within a<zip-file> - a signing policy
release-signingwith a CI User set as a submitter
- the slug
- The SignPath GitHub App needs to be installed and granted permission to this repository
- A ruleset for the given repository that enforces all the validated policies except the code-scanning for the default branch and all
releases/*branches- The
releases/interrupted-conditionbranch has to be explicitly removed temporarily
- The
- A second ruleset that enforces code scanning for all branches but the
releases/weaker-conditionbranch - The organization ID added as a repository variable
SIGNPATH_ORGANIZATION_ID - The API Token of the CI User added to a repository secret
SIGNPATH_API_TOKEN