From 1dc1a982ffbb3f584114b5ab56ee3ace0f0ddb6c Mon Sep 17 00:00:00 2001 From: Cary Phillips Date: Wed, 21 Feb 2024 14:46:23 -0800 Subject: [PATCH] Add workflow to sign release artifacts with Sigstore (#369) * Add workflow to sign release artifacts with Sigstore Replicates the openexr workflow: https://github.com/AcademySoftwareFoundation/openexr/pull/1637 Signed-off-by: Cary Phillips * Use cosign and gh Signed-off-by: Cary Phillips * Add comment reference to sigstore docs Signed-off-by: Cary Phillips * Use gh-action-sigstore-python Signed-off-by: Cary Phillips * Update security policy Signed-off-by: Cary Phillips --------- Signed-off-by: Cary Phillips --- .github/workflows/release-sign.yml | 54 ++++++++++++++++++++ SECURITY.md | 81 ++++++++++++++++++++++++++---- 2 files changed, 126 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/release-sign.yml diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml new file mode 100644 index 00000000..7927017c --- /dev/null +++ b/.github/workflows/release-sign.yml @@ -0,0 +1,54 @@ +# SPDX-License-Identifier: BSD-3-Clause +# Copyright (c) Contributors to the OpenEXR Project. + +# +# Releases are signed via https://github.com/sigstore/sigstore-python. +# See https://docs.sigstore.dev for information about sigstore. +# +# This action creates a .tar.gz of the complete Imath source tree at +# the given release tag, signs it via sigstore, and uploads the +# .tar.gz and the associated .tar.gz.sigstore credential bundle. +# +# To verify a downloaded release at a given tag: +# +# % pip install sigstore +# % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/Imath/.github/workflows/release-sign.yml@refs/tags/ Imath-.tar.gz +# + +name: Sign Release + +on: + release: + types: [created] + +permissions: + contents: write + id-token: write + repository-projects: write + +jobs: + release: + name: Sign & upload release artifacts + runs-on: ubuntu-latest + + env: + tarball: Imath-${{ github.ref_name }}.tar.gz + + steps: + + - name: Checkout + uses: actions/checkout@v2 + + - name: Create archive + run: git archive --format=tar.gz -o ${{ env.tarball }} ${{ github.ref_name }} + + - name: Sign archive with Sigstore + uses: sigstore/gh-action-sigstore-python@v2.1.1 + with: + inputs: ${{ env.tarball }} + + - name: Upload release archive + env: + GH_TOKEN: ${{ github.token }} + run: gh release upload ${{ github.ref_name }} ${{ env.tarball }} ${{ env.tarball }}.sigstore + diff --git a/SECURITY.md b/SECURITY.md index 9f663d82..aeb9ca01 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,13 +6,76 @@ ## Reporting a Vulnerability If you think you've found a potential vulnerability in Imath, please -report it by emailing security@openexr.com. Only OpenEXR Technical -Steering Committee members and Academy Software Foundation project -management have access to these messages. Include detailed steps to -reproduce the issue, and any other information that could aid an -investigation. Our policy is to respond to vulernability reports -within 14 days. - -Our policy is to address critical security vulnerabilities rapidly and -post patches as quickly as possible. +report it by filing a GitHub [security +advisory](https://github.com/AcademySoftwareFoundation/Imath/security/advisories/new). Alternatively, +email security@openexr.com and provide your contact info for further +private/secure discussion. If your email does not receive a prompt +acknowledgement, your address may be blocked. + +Our policy is to acknowledge the receipt of vulnerability reports +within 48 hours. Our policy is to address critical security vulnerabilities +rapidly and post patches within 14 days if possible. + +## Supported Versions + +This gives guidance about which branches are supported with patches to +security vulnerabilities. + +| Version / branch | Supported | +| --------- | ---------------------------------------------------- | +| main | :white_check_mark: :construction: ALL fixes immediately, but this is a branch under development with a frequently unstable ABI and occasionally unstable API. | +| 3.1.x | :white_check_mark: All fixes that can be backported without breaking ABI compatibility. | +| 3.0.x | :warning: Only the most critical fixes, only if they can be easily backported. | + +## Signed Releases + +Releases artifacts are signed via +[sigstore](https://www.sigstore.dev). See +[release-sign.yml](.github/workflows/release-sign.yml) for details. + +To verify a downloaded release at a given tag: + + % pip install sigstore + % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/Imath/.github/workflows/release-sign.yml@refs/tags/ Imath-.tar.gz + +## Security Expectations + +### Software Features + +- The Imath project implements basic vector, matrix, and math + operations, and is used throughout the motion picture industry and + beyond, on Linux, macOS, and Windows. + +- The project consists of a software run-time library, implemented in + C/C++ and built via cmake. The project also distributes python + wrappings for the C/C++ I/O API. + +- The library provides no external input/output. + +- Other than the website and online technical documentation, the + project implements no web/online services or network communication + protocols. The library never requests any security or + authentication credentials or login information from users. + + The website implements no interactive features and requires no login + credentials. + +### Software Dependencies + +Imath has no external dependencies. + +The Imath python bindings depend on python and boost. + +### Development Cycle and Distribution + +Imath is downloadable and buildable by C/C++ source via GitHub. Only +members of the project's Technical Steering Committee, all veteran +software engineers at major motion picture studios or vendors, have +write permissions on the source code repository. All critical software +changes are reviewed by multiple TSC members. + +The library is distributed in binary form via many common package +managers across all platforms. + +