From aebe436cbdf252257e3c15a55e232cabb5dbf8b3 Mon Sep 17 00:00:00 2001 From: Miguel Torres Date: Sat, 30 May 2026 07:20:17 -0700 Subject: [PATCH] fix(deps): Add release security artifacts (checksums, signatures, SBOM) VC-53686 --- .github/README.md | 34 +++++++ .github/workflows/release-security.yml | 129 +++++++++++++++++++++++++ 2 files changed, 163 insertions(+) create mode 100644 .github/workflows/release-security.yml diff --git a/.github/README.md b/.github/README.md index c3d73d9..2d1905d 100644 --- a/.github/README.md +++ b/.github/README.md @@ -51,6 +51,40 @@ Download the appropriate archive from the latest release and extract it manually - [Windows x64 (zip)](../../../releases/latest/download/vssh_windows_amd64.zip) - [Windows x86 (zip)](../../../releases/latest/download/vssh_windows_386.zip) +### Verifying Downloads + +For security, all releases include SHA-256 checksums and cryptographic signatures. We recommend verifying your download before use. + +#### Verify Checksum +Download the [checksums.txt](../../../releases/latest/download/checksums.txt) file and verify your download: + +```bash +sha256sum -c checksums.txt --ignore-missing +``` + +On macOS: +```bash +shasum -a 256 -c checksums.txt --ignore-missing +``` + +#### Verify Signature (Advanced) +Each release's checksums file is cryptographically signed using [Sigstore](https://www.sigstore.dev/). To verify the signature: + +1. Install [cosign](https://docs.sigstore.dev/cosign/installation/) +2. Download [checksums.txt.bundle](../../../releases/latest/download/checksums.txt.bundle) +3. Verify the signature: + +```bash +cosign verify-blob \ + --bundle checksums.txt.bundle \ + --certificate-identity-regexp "^https://github.com/venafi/vssh-cli" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + checksums.txt +``` + +#### Software Bill of Materials (SBOM) +Each release includes a Software Bill of Materials in CycloneDX format: [sbom.json](../../../releases/latest/download/sbom.json) + ## Short usage examples The examples bellow applies to the latest version of vSSH CLI. diff --git a/.github/workflows/release-security.yml b/.github/workflows/release-security.yml new file mode 100644 index 0000000..95379ba --- /dev/null +++ b/.github/workflows/release-security.yml @@ -0,0 +1,129 @@ +name: Release Security Artifacts + +on: + release: + types: [published] + +permissions: + contents: write + id-token: write + +jobs: + generate-security-artifacts: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + + - name: Install cosign + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + + - name: Download release artifacts + env: + GH_TOKEN: ${{ github.token }} + run: | + mkdir -p release-artifacts + cd release-artifacts + + # Download all release assets + gh release download ${{ github.event.release.tag_name }} \ + --repo ${{ github.repository }} \ + --pattern "*.zip" + + - name: Generate SHA-256 checksums + run: | + cd release-artifacts + sha256sum *.zip > checksums.txt + cat checksums.txt + + - name: Sign checksums with cosign (keyless) + run: | + cd release-artifacts + cosign sign-blob \ + --yes \ + --bundle checksums.txt.bundle \ + checksums.txt + + - name: Generate SBOM + run: | + cat > release-artifacts/sbom.json <<'EOF' + { + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "version": 1, + "metadata": { + "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)", + "component": { + "type": "application", + "name": "vssh-cli", + "version": "${{ github.event.release.tag_name }}", + "purl": "pkg:github/venafi/vssh-cli@${{ github.event.release.tag_name }}", + "externalReferences": [ + { + "type": "vcs", + "url": "https://github.com/venafi/vssh-cli" + }, + { + "type": "website", + "url": "https://www.cyberark.com/products/ssh-manager-for-machines/" + } + ] + }, + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ] + }, + "components": [] + } + EOF + + - name: Upload security artifacts to release + env: + GH_TOKEN: ${{ github.token }} + run: | + cd release-artifacts + gh release upload ${{ github.event.release.tag_name }} \ + checksums.txt \ + checksums.txt.bundle \ + sbom.json \ + --repo ${{ github.repository }} \ + --clobber + + - name: Update release notes with verification instructions + env: + GH_TOKEN: ${{ github.token }} + run: | + cat > verification-instructions.md <<'EOF' + ## Verification + + ### Verify checksums + Download `checksums.txt` and verify your download: + ```bash + sha256sum -c checksums.txt --ignore-missing + ``` + + ### Verify signature + Install [cosign](https://github.com/sigstore/cosign) and verify the checksums file signature: + ```bash + cosign verify-blob \ + --bundle checksums.txt.bundle \ + --certificate-identity-regexp "^https://github.com/venafi/vssh-cli" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + checksums.txt + ``` + + ### SBOM + A Software Bill of Materials (SBOM) in CycloneDX format is available as `sbom.json`. + EOF + + # Append to existing release notes + CURRENT_BODY=$(gh release view ${{ github.event.release.tag_name }} --json body -q .body) + NEW_BODY="${CURRENT_BODY}\n\n$(cat verification-instructions.md)" + + gh release edit ${{ github.event.release.tag_name }} \ + --notes "${NEW_BODY}" \ + --repo ${{ github.repository }}