From 0cf3c045f3df0e6419e19421a29708ad813581a1 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Sun, 19 May 2024 11:03:59 +0200 Subject: [PATCH 1/3] maliciously selects wrong signing policy --- .github/workflows/build-and-sign.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-sign.yml b/.github/workflows/build-and-sign.yml index 24588b2..f89507d 100644 --- a/.github/workflows/build-and-sign.yml +++ b/.github/workflows/build-and-sign.yml @@ -43,7 +43,8 @@ jobs: api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}' project-slug: 'Demo_Application' - signing-policy-slug: '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}' + # maliciously try to get a release signature from a feature branch + signing-policy-slug: 'release-signing' github-artifact-name: "demo-application" wait-for-completion: true output-artifact-directory: 'demo-application-signed' From 36245d984ee44bad8c1f7d487a33538dae8724bb Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Mon, 27 May 2024 16:36:50 +0200 Subject: [PATCH 2/3] prepares for updated to v0.4 --- .github/workflows/build-and-sign.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-and-sign.yml b/.github/workflows/build-and-sign.yml index f89507d..57a1bd8 100644 --- a/.github/workflows/build-and-sign.yml +++ b/.github/workflows/build-and-sign.yml @@ -6,8 +6,6 @@ run-name: Demo workflow signing with SignPath on: push: pull_request: - #schedule: - # - cron: '30 3 * * *' # every day at 3:30am UTC workflow_dispatch: # Allows you to run this workflow manually from the Actions tab jobs: @@ -27,6 +25,7 @@ jobs: run: ./sbom/Create-SBOM.ps1 - name: upload-unsigned-artifact + id: upload-unsigned-artifact uses: actions/upload-artifact@v4 with: name: "demo-application" @@ -38,14 +37,18 @@ jobs: - name: sign uses: signpath/github-action-submit-signing-request@v0.3 env: - SIGNPATH_SIGNING_POLICY_SLUG: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && 'release-signing' || 'test-signing' }} + # select release-signing policy for main and release branches + SIGNPATH_SIGNING_POLICY_SLUG: | + ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) + && 'release-signing' + || 'test-signing' }} with: api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}' project-slug: 'Demo_Application' # maliciously try to get a release signature from a feature branch signing-policy-slug: 'release-signing' - github-artifact-name: "demo-application" + github-artifact-id: "${{steps.upload-unsigned-artifact.outputs.artifact-id}}" wait-for-completion: true output-artifact-directory: 'demo-application-signed' From 63c57058ca70561d70888f7aa3008d04548e4795 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Mon, 27 May 2024 16:39:32 +0200 Subject: [PATCH 3/3] prepares for updated to v0.4 (part 2) --- .github/workflows/build-and-sign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-sign.yml b/.github/workflows/build-and-sign.yml index 57a1bd8..a02b949 100644 --- a/.github/workflows/build-and-sign.yml +++ b/.github/workflows/build-and-sign.yml @@ -35,7 +35,7 @@ jobs: .\_BuildResult-unsigned\bom.xml - name: sign - uses: signpath/github-action-submit-signing-request@v0.3 + uses: signpath/github-action-submit-signing-request@v0.4 env: # select release-signing policy for main and release branches SIGNPATH_SIGNING_POLICY_SLUG: |