Skip to content

fix(ci) harden offline sigstore bundle verification #483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bgentry merged 5 commits into from
Jan 3, 2026
Merged

fix(ci) harden offline sigstore bundle verification #483

bgentry merged 5 commits into from
Jan 3, 2026
+250 −66

Conversation

@bgentry
Copy link
Contributor

@bgentry bgentry commented Jan 2, 2026

The offline bundle verification step would fail when oras discover returned a referrers index with manifests=null.

To resolve this and further harden the publish flow, I implemented a separate script which:

  • Extracts referrers prefetch + offline verification into scripts/ci
  • Force-fetches subject + referrers via curl (custom header) before oras
  • Retries discovery briefly and handles empty referrer sets safely

@brandur I'm going to test this manually with some prerelease tags prior to #482 to make sure the full release flow is working smoothly prior to cutting a real release tag.

@bgentry bgentry requested a review from brandur January 2, 2026 21:46
brandur
brandur approved these changes Jan 3, 2026
View reviewed changes
Copy link
Collaborator

@brandur brandur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving to get unblocked, but IMO this is starting to be a large amount of code that doesn't have any testing and doesn't have any easy capacity to be tested besides pushing prerelease tags. It'd be nice if there was some way to get some basic exercise of it locally so we could vet changes more easily.

bgentry added 2 commits January 3, 2026 13:35
@bgentry
fix(ci) harden offline sigstore bundle verification
363a467 
The offline bundle verification step would fail when oras discover
returned a referrers index with manifests=null.

To resolve this and further harden the publish flow, I implemented a
separate script which:

- Extracts referrers prefetch + offline verification into scripts/ci
- Force-fetches subject + referrers via curl (custom header) before oras
- Retries discovery briefly and handles empty referrer sets safely
@bgentry
move prefetch script to scripts/ci
b0d3122
@bgentry bgentry force-pushed the bg-fix-offline-crypto-attestation-verify branch from 85cf179 to b0d3122 Compare January 3, 2026 19:42
@bgentry bgentry force-pushed the bg-fix-offline-crypto-attestation-verify branch from e018fbd to 1b7b256 Compare January 3, 2026 20:03
bgentry added 2 commits January 3, 2026 14:11
@bgentry
fix(ci) parse ORAS referrers index correctly
6c6afe3 
ORAS v1.3.0 emits discovery results under .referrers, not .manifests.
Update CI helper scripts to accept both shapes so bundle discovery
works and offline verification stops failing.
@bgentry
fix(ci) workflow boolean checks
9cfebbc
@bgentry bgentry force-pushed the bg-fix-offline-crypto-attestation-verify branch from 1b7b256 to 9f7084a Compare January 3, 2026 20:11
@bgentry
Copy link
Contributor Author

bgentry commented Jan 3, 2026

@brandur I agree it's frustrating to not be able to test more of this locally. On the other hand we don't actually need to make prerelease tags to test it in CI, we just need to update the triggers here to include pushes to other branches:

riverui/.github/workflows/docker-riverproui.yaml

Lines 3 to 11 in 3dbbdbc

on:
push:
branches:
- "master"
tags:
- "riverproui/v*"
pull_request:
branches:
- "master"

This is how it typically goes with testing anything driven by GHA and is definitely never a fun way to iterate. I think the only way to avoid that is to keep the pipeline itself just calling scripts/tools that can easily be tested independently, which would take some work here for sure.

@bgentry bgentry force-pushed the bg-fix-offline-crypto-attestation-verify branch from 9f7084a to 9cfebbc Compare January 3, 2026 20:21
@bgentry
Copy link
Contributor Author

bgentry commented Jan 3, 2026

Ok, this fixed things! I made updates to the development.md docs as well. It seems clear to me that we will need to take a good look at how we can optimize all of our releases later this year, there are just too many moving parts across too many repos and new versions are too time consuming for us.

@bgentry bgentry enabled auto-merge (squash) January 3, 2026 20:24
@bgentry bgentry mentioned this pull request Jan 3, 2026
Merged
@bgentry bgentry merged commit 16d13e9 into master Jan 3, 2026
23 checks passed
@bgentry bgentry deleted the bg-fix-offline-crypto-attestation-verify branch January 3, 2026 20:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brandur brandur brandur approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bgentry @brandur