Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,13 +78,28 @@ jobs:
release:
runs-on: ubuntu-latest
needs: build
permissions:
contents: write
id-token: write # required for cosign keyless OIDC signing
steps:
- name: Download artifacts
uses: actions/download-artifact@v8
with:
path: dist
merge-multiple: true

- name: Generate checksums
working-directory: dist
shell: bash
run: sha256sum lf-*.{zip,tar.gz} > sha256sums.txt

- name: Install cosign
uses: sigstore/cosign-installer@v3

- name: Sign checksums (sigstore keyless)
working-directory: dist
run: cosign sign-blob --yes --bundle sha256sums.txt.sigstore.json sha256sums.txt

- name: Release
uses: softprops/action-gh-release@v2
with:
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ See [faq](https://github.com/gokcehan/lf/wiki/FAQ) for more information and [tut
See [packages](https://github.com/gokcehan/lf/wiki/Packages) for community maintained packages.

See [releases](https://github.com/gokcehan/lf/releases) for pre-built binaries.
See [security](SECURITY.md) for release verification and reproducible builds.

Building from the source requires [Go](https://go.dev/).

Expand Down
34 changes: 34 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Verifying Releases

Release artifacts are signed using [sigstore cosign](https://github.com/sigstore/cosign) with keyless signing.
Each signing event is recorded in the [Rekor](https://rekor.sigstore.dev) transparency log, providing a public auditable record that the artifacts were built by the official GitHub Actions release workflow.

A single signature is produced over `sha256sums.txt`, which lists the SHA-256 of every release archive. Verifying the signature on `sha256sums.txt` and then verifying each archive against `sha256sums.txt` gives the same end-to-end guarantee as a per-archive signature.

## Verify a download

Install cosign:

go install github.com/sigstore/cosign/v3/cmd/cosign@latest

Download `sha256sums.txt`, `sha256sums.txt.sigstore.json`, and the archive(s) you want from the [releases page](https://github.com/gokcehan/lf/releases), then:

cosign verify-blob sha256sums.txt \
--bundle sha256sums.txt.sigstore.json \
--certificate-identity "https://github.com/gokcehan/lf/.github/workflows/release.yml@refs/tags/TAG" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"

Replace `TAG` with the release tag (e.g. `r33`).

Once `sha256sums.txt` is trusted, verify the archive(s) against it:

sha256sum --check --ignore-missing sha256sums.txt

## Reproduce a build

Builds are reproducible given the same Go version and source:

go version -m ./lf # shows the exact Go version used
git checkout TAG
CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.gVersion=TAG"
sha256sum lf # compare with sha256sums.txt