-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement signing of ORT releases #8655
Conversation
Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
Extend reproducibility to `Tar` / `Zip` tasks as provided by the application plugin (via the distribution plugin). Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
In addition to signing Maven artifacts, also sign the distribution archives. Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
This makes ORT pass the OSSF Scorecard check at [1]. [1]: https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #8655 +/- ##
=========================================
Coverage 67.92% 67.92%
Complexity 1005 1005
=========================================
Files 244 244
Lines 7772 7772
Branches 876 876
=========================================
Hits 5279 5279
Misses 2110 2110
Partials 383 383
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
The project was formally renamed from "CII Best Practices badge" on 2021-12-24, see [1]. [1]: https://www.bestpractices.dev/ Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
if (signingInMemoryKey != null && signingInMemoryKeyPassword != null) { | ||
useInMemoryPgpKeys(signingInMemoryKey, signingInMemoryKeyPassword) | ||
sign(distTar.get()) | ||
sign(distZip.get()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, I'm lacking the Gradle knowledge to understand when the signing (above two lines) is executed.
In particular, I wonder if always both, .zip
and .tar
, get signed. If building dist archive, does it always create both archive types? Can you give a hint?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes to .github/workflows/release.yml
in the forelast commit gives you a hint: You have to call the respective distTar
/ distZip
or signDistTar
/ signDistZip
tasks explicitly. The above code does not execute anything, but it just configures the signing (and makes the signDistTar
/ signDistZip
tasks available).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
Please have a look at the individual commit messages for the details.