Ensuring the integrity and security of software artifacts is extremely important. With the proliferation of supply chain attacks and the increasing complexity of software development environments, developers need robust tools to safeguard their code and build processes. Recognizing this need, GitHub has introduced Artifact Attestations, a feature designed to provide a verifiable way to link software artifacts back to their source code and build instructions within GitHub Actions workflows.
Table of Contents
What are GitHub Artifact Attestations?
GitHub Artifact Attestations represent a significant step forward in ensuring the integrity and provenance of software artifacts. By leveraging Sigstore, an open-source project dedicated to simplifying signing for software artifacts, Artifact Attestations enable developers to create tamper-proof, unforgeable paper trails that establish a clear link between software artifacts and the processes that produced them.
How does it work?
The mechanics behind Artifact Attestations are both sophisticated and streamlined. When an attestation action is executed within a GitHub Actions workflow, Sigstore generates a short-lived X.509 certificate, binding the public key to the workflow’s OIDC identity. This certificate is then used to sign a document containing an in-toto statement, which links the artifact to the workflow run. Crucially, this process is designed to minimize the complexities associated with traditional public key infrastructure (PKI), placing trust in the security of the developer’s GitHub account.
Benefits of Artifact Attestations
The benefits of Artifact Attestations are manifold. Not only do they provide developers with a simple yet powerful tool for ensuring the integrity of their software artifacts, but they also mitigate the risk of supply chain attacks and bolster the security of the broader software ecosystem. By creating a verifiable paper trail, Artifact Attestations instill confidence in the origins of software artifacts, facilitating more robust security and compliance practices.
Use cases and examples
Integrating Artifact Attestations into GitHub Actions workflows is a straightforward process, requiring just a few lines of YAML configuration and the installation of the GitHub CLI tool. Developers can attest to build provenance effortlessly, ensuring that their artifacts are linked back to their source code and build instructions. Additionally, Artifact Attestations support the association of artifacts with Software Bill of Materials (SBOMs), further enhancing transparency and traceability in the software development process.
GitHub is a Root Certificate Authority
In creating this feature, GitHub’s goal was to enable users to sign artifacts on GitHub Actions and verify them anywhere, even offline. Understanding the challenges of public key infrastructure (PKI) and the desire among users to avoid managing PKI systems or risking secrets being leaked, they took the initiative to establish GitHub as a root certificate authority (CA) for signing software, giving GitHub control over the entire certificate chain.
In October 2023, GitHub launched an X.509 certificate authority and RFC 3161 timestamp server. The trust root is managed using a quorum of hardware tokens held by employees globally, leveraging tooling from the TUF project, of which GitHub is a contributor. The GitHub CA and timestamp services are instances of Sigstore applications, with intermediate certificates stored in Azure KeyVault Managed HSMs. Signing certificates are valid for 10 minutes from issuance, eliminating the complexities of managing Certificate Revocation Lists (CRLs).
Add Artifact Attestation to GithHub Actions Workflows
GitHub Artifact Attestations can be easily added to workflow YAML as a natively supported feature of GitHub Actions. Then once the build workflow has finished, the GitHub CLI can be used to verify the artifact attestations once the artifact has been downloaded.
Step 1: Enable GitHub Actions workflow to write to the attestations store:
permissions:
id-token: write
attestations: write
contents: readStep 2: Direct workflow to create attestation:
- name: Attest Build Provenance
uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
with:
subject-path: "bin/my-artifact.tar.gz"Step 3: Use GitHub CLI to verify attestation after build is finished and artifact is downloaded:
gh attestation verify my-artifact.tar.gz -o my-organizationFuture Developments
Looking ahead, GitHub plans to expand the capabilities of Artifact Attestations to support additional types of artifacts associated with the build process. This includes plans for Kubernetes support and new guarantees for releases, underscoring GitHub’s commitment to continually enhancing the security and integrity of software supply chains.
Conclusion
In an era marked by increasing concerns about software security and integrity, Artifact Attestations represent a significant step forward. By providing developers with a verifiable way to link software artifacts back to their source code and build instructions, Artifact Attestations empower developers to strengthen the security of their software supply chains and foster a culture of transparency and trust. As GitHub continues to evolve and expand the capabilities of Artifact Attestations, developers can look forward to even greater levels of security and assurance in their software development practices.
You can read more about GitHub Artifact Attestations over on the GitHub blog.
Original Article Source: Enhancing Software Integrity with Artifact Attestations in GitHub Actions written by Chris Pietschmann (If you're reading this somewhere other than Build5Nines.com, it was republished without permission.)
Microsoft Azure Regions: Interactive Map of Global Datacenters
Create Azure Architecture Diagrams with Microsoft Visio
IPv4 Address CIDR Range Reference and Calculator
Byte Conversion Calculator from KB, MB, GB, TB, PB
Azure Functions: Extend Execution Timeout Past 5 Minutes
