From 45397c27c48bbb64922c8cac65669790c93bf30b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 4 Aug 2025 10:38:24 +0200 Subject: [PATCH 01/20] install cosign CLI --- flake.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/flake.nix b/flake.nix index 92e7daa925..f2e6a984c1 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,8 @@ buf # e2e playwright + # release assets verification + cosign ]; # Specify the rust-src path (many editors rely on this) From 0baf0f9f438a0dce08536902b90799b957b1e981 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 4 Aug 2025 10:48:57 +0200 Subject: [PATCH 02/20] add signing step to docker build --- .github/workflows/build-docker.yml | 32 ++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 034113495f..0f1d6b6ef9 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -21,6 +21,7 @@ jobs: - self-hosted - Linux - ${{ matrix.runner }} + strategy: matrix: # cpu: [arm64, amd64, arm/v7] @@ -35,23 +36,31 @@ jobs: # - cpu: arm/v7 # runner: ARM # tag: armv7 + + permissions: + contents: read + packages: write + steps: - name: Checkout uses: actions/checkout@v4 with: submodules: recursive + - name: Login to GitHub container registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: buildkitd-config-inline: | [registry."docker.io"] mirrors = ["dockerhub-proxy.teonite.net"] + - name: Build container uses: docker/build-push-action@v6 with: @@ -65,8 +74,18 @@ jobs: docker-manifest: runs-on: [self-hosted, Linux] + + permissions: + contents: read + packages: write + id-token: write # needed for signing the images with GitHub OIDC Token + needs: [build-docker] + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.9.2 + - name: Docker meta id: meta uses: docker/metadata-action@v5 @@ -75,12 +94,14 @@ jobs: ${{ env.GHCR_REPO }} flavor: ${{ inputs.flavor }} tags: ${{ inputs.tags }} + - name: Login to GitHub container registry uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Create and push manifests run: | tags='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}' @@ -91,3 +112,14 @@ jobs: docker manifest push ${tag} done # ${{ env.GHCR_REPO }}:${{ github.sha }}-armv7 + + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.build-and-push.outputs.digest }} + run: | + tags='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}' + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} From c0fc94990f960dd217d35b74e0fbdc2c8420a47c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 4 Aug 2025 10:50:34 +0200 Subject: [PATCH 03/20] trigger test run --- .github/workflows/current.yml | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml index 26b5c76062..3871e3754c 100644 --- a/.github/workflows/current.yml +++ b/.github/workflows/current.yml @@ -5,6 +5,7 @@ on: - main - dev - "release/**" + - sign_release_assets paths-ignore: - "*.md" - "LICENSE" @@ -21,19 +22,19 @@ jobs: type=ref,event=branch type=sha - trigger-e2e: - needs: build-current - uses: ./.github/workflows/e2e.yml - secrets: inherit + # trigger-e2e: + # needs: build-current + # uses: ./.github/workflows/e2e.yml + # secrets: inherit - trigger-dev-deploy: - needs: build-current - if: ${{ github.event_name != 'pull_request' && github.ref_name == 'dev' }} - uses: ./.github/workflows/dev-deployment.yml - secrets: inherit + # trigger-dev-deploy: + # needs: build-current + # if: ${{ github.event_name != 'pull_request' && github.ref_name == 'dev' }} + # uses: ./.github/workflows/dev-deployment.yml + # secrets: inherit - trigger-staging-deploy: - needs: build-current - if: ${{ github.event_name != 'pull_request' && startsWith(github.ref_name, 'release/') }} - uses: ./.github/workflows/staging-deployment.yml - secrets: inherit + # trigger-staging-deploy: + # needs: build-current + # if: ${{ github.event_name != 'pull_request' && startsWith(github.ref_name, 'release/') }} + # uses: ./.github/workflows/staging-deployment.yml + # secrets: inherit From f13e2310eea4996d9846a6a9dbc410df2a061453 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 4 Aug 2025 12:22:51 +0200 Subject: [PATCH 04/20] how about now --- .github/workflows/build-docker.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 0f1d6b6ef9..2c2177d66d 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -117,9 +117,5 @@ jobs: env: DIGEST: ${{ steps.build-and-push.outputs.digest }} run: | - tags='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}' - images="" - for tag in ${TAGS}; do - images+="${tag}@${DIGEST} " - done + images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}' cosign sign --yes ${images} From 2cde6825bcbe2450e7c9a7a6d77a99a6b203be79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Tue, 5 Aug 2025 11:07:41 +0200 Subject: [PATCH 05/20] remove dead code --- .github/workflows/build-docker.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 2c2177d66d..f415c13b02 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -111,7 +111,6 @@ jobs: docker manifest create ${tag} ${{ env.GHCR_REPO }}:${{ github.sha }}-amd64 ${{ env.GHCR_REPO }}:${{ github.sha }}-arm64 docker manifest push ${tag} done - # ${{ env.GHCR_REPO }}:${{ github.sha }}-armv7 - name: Sign the images with GitHub OIDC Token env: From c06c063bc3ea6fd632b1462b8f52556ccc2029f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 Aug 2025 11:51:06 +0200 Subject: [PATCH 06/20] test signing blobs --- .github/workflows/release.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a79149cb92..050339ee31 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,10 +53,12 @@ jobs: build-binaries: needs: [create-release] + runs-on: - self-hosted - Linux - X64 + strategy: fail-fast: false matrix: @@ -71,6 +73,12 @@ jobs: - build: freebsd arch: amd64 target: x86_64-unknown-freebsd + + permissions: + contents: read + packages: write + id-token: write # needed for signing the images with GitHub OIDC Token + steps: # Store the version, stripping any v-prefix - name: Write release version @@ -84,6 +92,9 @@ jobs: with: submodules: recursive + - name: Install Cosign + uses: sigstore/cosign-installer@v3.9.2 + - name: Setup `packer` uses: hashicorp/setup-packer@main id: setup @@ -140,6 +151,11 @@ jobs: defguard-${{ github.ref_name }}-${{ matrix.target }} outPath: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + - name: Sign release archive + run: | + archive='defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz' + cosign sign-blob --yes ${archive} --output-signature ${archive}.sig + - name: Upload release archive uses: actions/upload-release-asset@v1.0.2 env: @@ -150,6 +166,16 @@ jobs: asset_name: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz asset_content_type: application/octet-stream + - name: Upload release archive signature + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz.sig + asset_name: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz.sig + asset_content_type: application/octet-stream + - name: Build DEB package if: matrix.build == 'linux' uses: defGuard/fpm-action@main From 5f78e546eb11f6b72dca46fab1777d5d7a569fa0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 Aug 2025 11:51:48 +0200 Subject: [PATCH 07/20] remove temporary override --- .github/workflows/current.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml index 3871e3754c..df509b6229 100644 --- a/.github/workflows/current.yml +++ b/.github/workflows/current.yml @@ -5,7 +5,6 @@ on: - main - dev - "release/**" - - sign_release_assets paths-ignore: - "*.md" - "LICENSE" From c245f5124233c4bbd67b3f3befa6bb245e34942c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 Aug 2025 13:42:16 +0200 Subject: [PATCH 08/20] debug files being created --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 050339ee31..1264b791ec 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -155,6 +155,7 @@ jobs: run: | archive='defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz' cosign sign-blob --yes ${archive} --output-signature ${archive}.sig + ls -la - name: Upload release archive uses: actions/upload-release-asset@v1.0.2 From 578fa0d4c50fc69ee782ac9fe6902199f8560d11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 8 Aug 2025 09:40:15 +0200 Subject: [PATCH 09/20] adjust workflow permissions --- .github/workflows/release.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1264b791ec..4f6e14172c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -75,8 +75,7 @@ jobs: target: x86_64-unknown-freebsd permissions: - contents: read - packages: write + contents: write # needed to upload release assets id-token: write # needed for signing the images with GitHub OIDC Token steps: @@ -151,11 +150,10 @@ jobs: defguard-${{ github.ref_name }}-${{ matrix.target }} outPath: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - - name: Sign release archive + - name: Sign release archive with GitHub OIDC token run: | archive='defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz' cosign sign-blob --yes ${archive} --output-signature ${archive}.sig - ls -la - name: Upload release archive uses: actions/upload-release-asset@v1.0.2 From 89b4d9bee403f56ef640b4b70d148f56788fc13c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 8 Aug 2025 12:26:25 +0200 Subject: [PATCH 10/20] try running tests on AWS runner --- .github/workflows/ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3257ad7498..705f8130ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,10 @@ on: jobs: test: - runs-on: [self-hosted, Linux, X64] + # FIXME: remove once migration to AWS runners is complete + # runs-on: [self-hosted, Linux, X64] + runs-on: + - codebuild-defguard-runner-${{ github.run_id }}-${{ github.run_attempt }} container: rust:1 services: From a51da5edf61e44901b864949e9e7ea29b3e572ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 8 Aug 2025 13:08:36 +0200 Subject: [PATCH 11/20] try out a different runner --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 705f8130ee..5d8a4301f9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,7 +23,7 @@ jobs: # FIXME: remove once migration to AWS runners is complete # runs-on: [self-hosted, Linux, X64] runs-on: - - codebuild-defguard-runner-${{ github.run_id }}-${{ github.run_attempt }} + - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }} container: rust:1 services: From cc69f53b8595cfa0794742c27b38f1586133c05c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 8 Aug 2025 13:32:50 +0200 Subject: [PATCH 12/20] is this service necessary? --- .github/workflows/ci.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5d8a4301f9..f00668fd52 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,18 +26,18 @@ jobs: - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }} container: rust:1 - services: - postgres: - image: postgres:17-alpine - env: - POSTGRES_DB: defguard - POSTGRES_USER: defguard - POSTGRES_PASSWORD: defguard - options: >- - --health-cmd pg_isready - --health-interval 10s - --health-timeout 5s - --health-retries 5 + # services: + # postgres: + # image: postgres:17-alpine + # env: + # POSTGRES_DB: defguard + # POSTGRES_USER: defguard + # POSTGRES_PASSWORD: defguard + # options: >- + # --health-cmd pg_isready + # --health-interval 10s + # --health-timeout 5s + # --health-retries 5 env: CARGO_TERM_COLOR: always From c340a1b8616b7b564a369830c9618847f912a81e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 8 Aug 2025 13:49:18 +0200 Subject: [PATCH 13/20] maybe it is --- .github/workflows/ci.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f00668fd52..5d8a4301f9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,18 +26,18 @@ jobs: - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }} container: rust:1 - # services: - # postgres: - # image: postgres:17-alpine - # env: - # POSTGRES_DB: defguard - # POSTGRES_USER: defguard - # POSTGRES_PASSWORD: defguard - # options: >- - # --health-cmd pg_isready - # --health-interval 10s - # --health-timeout 5s - # --health-retries 5 + services: + postgres: + image: postgres:17-alpine + env: + POSTGRES_DB: defguard + POSTGRES_USER: defguard + POSTGRES_PASSWORD: defguard + options: >- + --health-cmd pg_isready + --health-interval 10s + --health-timeout 5s + --health-retries 5 env: CARGO_TERM_COLOR: always From 778279cb53ad76e07731274c8d9155fff71e2bc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 11 Aug 2025 08:07:45 +0200 Subject: [PATCH 14/20] don't try to sign binaries --- .github/workflows/release.yml | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4f6e14172c..9d12f67e14 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -76,7 +76,6 @@ jobs: permissions: contents: write # needed to upload release assets - id-token: write # needed for signing the images with GitHub OIDC Token steps: # Store the version, stripping any v-prefix @@ -91,9 +90,6 @@ jobs: with: submodules: recursive - - name: Install Cosign - uses: sigstore/cosign-installer@v3.9.2 - - name: Setup `packer` uses: hashicorp/setup-packer@main id: setup @@ -150,11 +146,6 @@ jobs: defguard-${{ github.ref_name }}-${{ matrix.target }} outPath: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - - name: Sign release archive with GitHub OIDC token - run: | - archive='defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz' - cosign sign-blob --yes ${archive} --output-signature ${archive}.sig - - name: Upload release archive uses: actions/upload-release-asset@v1.0.2 env: @@ -165,16 +156,6 @@ jobs: asset_name: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz asset_content_type: application/octet-stream - - name: Upload release archive signature - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz.sig - asset_name: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz.sig - asset_content_type: application/octet-stream - - name: Build DEB package if: matrix.build == 'linux' uses: defGuard/fpm-action@main From 46a6d5d5bf481cc08cb76ef4e5e53b5cef44c320 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 11 Aug 2025 08:11:10 +0200 Subject: [PATCH 15/20] uncomment code --- .github/workflows/current.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml index df509b6229..26b5c76062 100644 --- a/.github/workflows/current.yml +++ b/.github/workflows/current.yml @@ -21,19 +21,19 @@ jobs: type=ref,event=branch type=sha - # trigger-e2e: - # needs: build-current - # uses: ./.github/workflows/e2e.yml - # secrets: inherit + trigger-e2e: + needs: build-current + uses: ./.github/workflows/e2e.yml + secrets: inherit - # trigger-dev-deploy: - # needs: build-current - # if: ${{ github.event_name != 'pull_request' && github.ref_name == 'dev' }} - # uses: ./.github/workflows/dev-deployment.yml - # secrets: inherit + trigger-dev-deploy: + needs: build-current + if: ${{ github.event_name != 'pull_request' && github.ref_name == 'dev' }} + uses: ./.github/workflows/dev-deployment.yml + secrets: inherit - # trigger-staging-deploy: - # needs: build-current - # if: ${{ github.event_name != 'pull_request' && startsWith(github.ref_name, 'release/') }} - # uses: ./.github/workflows/staging-deployment.yml - # secrets: inherit + trigger-staging-deploy: + needs: build-current + if: ${{ github.event_name != 'pull_request' && startsWith(github.ref_name, 'release/') }} + uses: ./.github/workflows/staging-deployment.yml + secrets: inherit From 55a9d505e202f914251cc34639d15cac0f057dcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 11 Aug 2025 08:12:55 +0200 Subject: [PATCH 16/20] remove stuff related to AWS runners --- .github/workflows/ci.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5d8a4301f9..cf0933af95 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,10 +20,7 @@ on: jobs: test: - # FIXME: remove once migration to AWS runners is complete - # runs-on: [self-hosted, Linux, X64] - runs-on: - - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }} + runs-on: [self-hosted, Linux, X64] container: rust:1 services: @@ -55,21 +52,28 @@ jobs: uses: actions/checkout@v4 with: submodules: recursive + - name: Cache uses: Swatinem/rust-cache@v2 + - name: Install protoc run: apt-get update && apt-get -y install protobuf-compiler + - name: Check format run: | rustup component add rustfmt cargo fmt -- --check + - name: Run clippy linter run: | rustup component add clippy cargo clippy --all-targets --all-features -- -D warnings + - name: Run cargo deny uses: EmbarkStudios/cargo-deny-action@v2 + - name: Install nextest uses: taiki-e/install-action@nextest + - name: Run tests run: cargo nextest run --locked --no-fail-fast From e7fafe97f171469b9a60debbb139aa5a863bff36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 11 Aug 2025 09:25:04 +0200 Subject: [PATCH 17/20] add signature verification step --- .github/workflows/build-docker.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index f415c13b02..8409b2a672 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -113,8 +113,12 @@ jobs: done - name: Sign the images with GitHub OIDC Token - env: - DIGEST: ${{ steps.build-and-push.outputs.digest }} run: | images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}' cosign sign --yes ${images} + + - name: Verify image signatures + run: | + images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}' + cosign verify ${images} --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/DefGuard/defguard" -o text + From bd3d110237b562b2d4927a5a4fd11bea9583b245 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 11 Aug 2025 09:28:12 +0200 Subject: [PATCH 18/20] run test --- .github/workflows/current.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml index 26b5c76062..b363a4c91b 100644 --- a/.github/workflows/current.yml +++ b/.github/workflows/current.yml @@ -5,6 +5,7 @@ on: - main - dev - "release/**" + - sign_release_assets paths-ignore: - "*.md" - "LICENSE" From 4dc6d9ffb03085185a28815c2505d13679e79a72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 11 Aug 2025 09:48:25 +0200 Subject: [PATCH 19/20] add verification info to readme --- README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/README.md b/README.md index 6879aa6d49..79515563f7 100644 --- a/README.md +++ b/README.md @@ -180,6 +180,35 @@ The code in this repository is available under a dual licensing model: Please review the [Contributing guide](https://docs.defguard.net/for-developers/contributing) for information on how to get started contributing to the project. You might also find our [environment setup guide](https://docs.defguard.net/for-developers/dev-env-setup) handy. +## Verifiability of releases + +We provide following ways to verify the authenticity and integrity of official releases: + +### Docker Image Verification with Cosign + +All official Docker images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/). To verify a Docker image: + +1. [Install](https://github.com/sigstore/cosign?tab=readme-ov-file#installation) cosign CLI + +2. Verify the image signature (replace with the tag you want to verify): + ```bash + cosign verify --certificate-identity-regexp="https://github.com/DefGuard/defguard" \ + --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ + ghcr.io/defguard/defguard: + ``` + +### Release Asset Verification + +All release assets (binaries, packages, etc.) include SHA256 checksums that are automatically generated and published with each GitHub release: + +1. Download the release asset and copy its corresponding checksum from the [releases page](https://github.com/DefGuard/defguard/releases) + +2. Verify the checksum: + ```bash + # Linux/macOS + echo known_sha256_checksum_of_the_file path/to/file | sha256sum --check + ``` + # Built and sponsored by

From 8317a61345293c0980f9d083f611119879f7aad2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Mon, 11 Aug 2025 10:21:30 +0200 Subject: [PATCH 20/20] remove test branch --- .github/workflows/current.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml index b363a4c91b..26b5c76062 100644 --- a/.github/workflows/current.yml +++ b/.github/workflows/current.yml @@ -5,7 +5,6 @@ on: - main - dev - "release/**" - - sign_release_assets paths-ignore: - "*.md" - "LICENSE"