Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement signing of ORT releases #8655

Merged
merged 5 commits into from
May 17, 2024
Merged

Implement signing of ORT releases #8655

merged 5 commits into from
May 17, 2024

Conversation

sschuberth
Copy link
Member

Please have a look at the individual commit messages for the details.

@sschuberth
chore(gradle): Sort a list of options alphabetically
6d823a5 
Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@sschuberth
feat(gradle): Also make distribution archives reproducible
1916f0f 
Extend reproducibility to `Tar` / `Zip` tasks as provided by the
application plugin (via the distribution plugin).

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@sschuberth
feat(gradle): Configure signing of distribution archives
c1790e5 
In addition to signing Maven artifacts, also sign the distribution
archives.

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@sschuberth
ci(github): Sign releases and upload them along with their signatures
d8c8802 
This makes ORT pass the OSSF Scorecard check at [1].

[1]: https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@sschuberth sschuberth requested a review from a team as a code owner May 16, 2024 20:43
@codecov Codecov
Copy link

codecov bot commented May 16, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.92%. Comparing base (833dac3) to head (8397510).

Additional details and impacted files 
@@            Coverage Diff            @@
##               main    #8655   +/-   ##
=========================================
  Coverage     67.92%   67.92%           
  Complexity     1005     1005           
=========================================
  Files           244      244           
  Lines          7772     7772           
  Branches        876      876           
=========================================
  Hits           5279     5279           
  Misses         2110     2110           
  Partials        383      383
Flag Coverage Δ
funTest-docker 66.04% <ø> (ø)
funTest-non-docker 34.79% <ø> (ø)
test 37.84% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@sschuberth
docs(README): Update CII links to OpenSSF
8397510 
The project was formally renamed from "CII Best Practices badge" on
2021-12-24, see [1].

[1]: https://www.bestpractices.dev/

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@sschuberth sschuberth requested a review from a team as a code owner May 16, 2024 21:15
fviernau
fviernau reviewed May 17, 2024
View reviewed changes
buildSrc/src/main/kotlin/ort-application-conventions.gradle.kts
if (signingInMemoryKey != null && signingInMemoryKeyPassword != null) {
useInMemoryPgpKeys(signingInMemoryKey, signingInMemoryKeyPassword)
sign(distTar.get())
sign(distZip.get())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, I'm lacking the Gradle knowledge to understand when the signing (above two lines) is executed.
In particular, I wonder if always both, .zip and .tar, get signed. If building dist archive, does it always create both archive types? Can you give a hint?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes to .github/workflows/release.yml in the forelast commit gives you a hint: You have to call the respective distTar / distZip or signDistTar / signDistZip tasks explicitly. The above code does not execute anything, but it just configures the signing (and makes the signDistTar / signDistZip tasks available).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@sschuberth sschuberth requested a review from fviernau May 17, 2024 07:42
@sschuberth sschuberth merged commit 19dfc01 into main May 17, 2024
20 checks passed
@sschuberth sschuberth deleted the app-signing branch May 17, 2024 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fviernau fviernau fviernau approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sschuberth @fviernau