Add PGP signatures and attestations to build process #44

remyroy · 2024-05-06T19:15:14Z

This PR adds 2 new elements to our build process with Github workflows:

It create PGP signatures based on the stored PGP private key with Github secrets. It expects 2 secrets: GPG_PRIVATE_KEY and PASSPHRASE as described with the import-gpg action. I've already added those to the eth-educators/ethstaker-deposit-cli repo. You can see the documentation on this for more details.
It creates build attestations to create a strong link between the workflow used to create the release assets and the eventual releases. See the documentation for more details.

remyroy · 2024-05-06T20:46:40Z

Fixes #31

remyroy · 2024-05-06T20:54:03Z

The public key used for the eth-educators/ethstaker-deposit-cli repo for now is:

valefar-on-discord

I testing this on my own branch and verified the gpg signature and the attestations without issue.

One small question:

.github/workflows/build.yml

remyroy added 10 commits May 6, 2024 12:32

Add attestation step

f12bc29

Adding missing permissions

eb52bb2

Adding missing permission

3b49621

Fix for artifacts attestation

246bc06

Import GPG key

6ad4198

Adding GPG signature in output artifacts

788dace

Using a specific GPG key

00e6c36

Fix for GPG key id

4130830

Change trust level

77d8ab9

Fix Windows signature

a2e361a

remyroy linked an issue May 6, 2024 that may be closed by this pull request

Add PGP signing for release assets #31

Closed

valefar-on-discord approved these changes May 6, 2024

View reviewed changes

.github/workflows/build.yml Show resolved Hide resolved

valefar-on-discord merged commit 2a22142 into eth-educators:main May 7, 2024
15 checks passed

Provide feedback