diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml new file mode 100644 index 0000000000..06f83b0ac5 --- /dev/null +++ b/.github/workflows/release-sign.yml @@ -0,0 +1,54 @@ +# SPDX-License-Identifier: BSD-3-Clause +# Copyright (c) Contributors to the OpenEXR Project. + +# +# Releases are signed via https://github.com/sigstore/sigstore-python. +# See https://docs.sigstore.dev for information about sigstore. +# +# This action creates a .tar.gz of the complete OpenEXR source tree at +# the given release tag, signs it via sigstore, and uploads the +# .tar.gz and the associated .tar.gz.sigstore credential bundle. +# +# To verify a downloaded release at a given tag: +# +# % pip install sigstore +# % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/openexr/.github/workflows/release-sign.yml@refs/tags/ openexr-.tar.gz +# + +name: Sign Release + +on: + release: + types: [created] + +permissions: + contents: write + id-token: write + repository-projects: write + +jobs: + release: + name: Sign & upload release artifacts + runs-on: ubuntu-latest + + env: + tarball: openexr-${{ github.ref_name }}.tar.gz + + steps: + + - name: Checkout + uses: actions/checkout@v2 + + - name: Create archive + run: git archive --format=tar.gz -o ${{ env.tarball }} ${{ github.ref_name }} + + - name: Sign archive with Sigstore + uses: sigstore/gh-action-sigstore-python@v2.1.1 + with: + inputs: ${{ env.tarball }} + + - name: Upload release archive + env: + GH_TOKEN: ${{ github.token }} + run: gh release upload ${{ github.ref_name }} ${{ env.tarball }} ${{ env.tarball }}.sigstore + diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b17ad219a2..09a3c3ac62 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -591,14 +591,26 @@ The preferred workflow is: d. Send an email update to ``openexr-dev@lists.aswf.io`` notifying the community of the addition and the new tag. -7. Publish the release +7. Create a signed release tag + + a. Make sure you have a [GPG + key](https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key) + and it is + [registered](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key) + with your GitHub account and git config. + + b. Create a signed tag with the release name via `git tag -s v3.1.9`. + + c. Push the tag via `git push --tags` + +8. Publish the release a. Click the "Publish release" button on the GitHub release draft b. Send an email to ``openexr-dev@lists.aswf.io`` officially annoucing the release. -8. Update the ``release`` branch, which should always point to the +9. Update the ``release`` branch, which should always point to the most recent patch of the most recent minor release, i.e. the most preferred release. @@ -608,24 +620,24 @@ The preferred workflow is: % git merge RB-3.1 % git push -9. Submit a PR that adds the release notes to [CHANGES.md](CHANGES.md) - on the main branch. Cherry-pick the release notes commit from - the release branch. +10. Submit a PR that adds the release notes to [CHANGES.md](CHANGES.md) + on the main branch. Cherry-pick the release notes commit from + the release branch. - - If any changes have gone into [SECURITY.md](SECURITY), cherry-pick - the associated commit as well. + - If any changes have gone into [SECURITY.md](SECURITY), cherry-pick + the associated commit as well. - - Also include in this PR edits to [``docs/news.rst``](docs/news.rst) - that add an announcment of the release. + - Also include in this PR edits to [``docs/news.rst``](docs/news.rst) + that add an announcment of the release. -10. After review/merge of the updates to ``docs/news.rst``, build the +11. After review/merge of the updates to ``docs/news.rst``, build the website at https://readthedocs.org/projects/openexr. -11. If the release has resolved any OSS-Fuzz issues, update the +12. If the release has resolved any OSS-Fuzz issues, update the associated pages at https://bugs.chromium.org/p/oss-fuzz with a reference to the release. -12. If the release has resolved any public CVE's, request an update +13. If the release has resolved any public CVE's, request an update from the registry service providing the release and a link to the release notes. diff --git a/SECURITY.md b/SECURITY.md index 2c7cb3e906..58fc659b50 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -73,6 +73,17 @@ security vulnerabilities. | 2.5.x | :warning: Only the most critical fixes, only if they can be easily backported. | | <= 1.x | :x: No longer receiving patches of any kind. | +## Signed Releases + +Releases artifacts are signed via +[sigstore](https://www.sigstore.dev). See +[release-sign.yml](.github/workflows/release-sign.yml) for details. + +To verify a downloaded release at a given tag: + + % pip install sigstore + % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/openexr/.github/workflows/release-sign.yml@refs/tags/ openexr-.tar.gz + ## Security Expectations ### Software Features