mirror of
https://github.com/openai/codex.git
synced 2026-02-01 22:47:52 +00:00
28e7218c0b
### Summary Linux codesigning with sigstore and test run output at https://github.com/openai/codex/actions/runs/19994328162?pr=7662. Sigstore is one of the few ways for codesigning for linux platform. Linux is open sourced and therefore binary/dist validation comes with the build itself instead of a central authority like Windows or Mac. Alternative here is to use GPG which again a public key included with the bundle for validation. Advantage with Sigstore is that we do not have to create a private key for signing but rather with[ keyless signing](https://docs.sigstore.dev/cosign/signing/overview/). This should be sufficient for us at this point and if we want to we can support GPG in the future.
45 lines
1.1 KiB
YAML
45 lines
1.1 KiB
YAML
name: linux-code-sign
|
|
description: Sign Linux artifacts with cosign.
|
|
inputs:
|
|
target:
|
|
description: Target triple for the artifacts to sign.
|
|
required: true
|
|
artifacts-dir:
|
|
description: Absolute path to the directory containing built binaries to sign.
|
|
required: true
|
|
|
|
runs:
|
|
using: composite
|
|
steps:
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@v3.7.0
|
|
|
|
- name: Cosign Linux artifacts
|
|
shell: bash
|
|
env:
|
|
COSIGN_EXPERIMENTAL: "1"
|
|
COSIGN_YES: "true"
|
|
COSIGN_OIDC_CLIENT_ID: "sigstore"
|
|
COSIGN_OIDC_ISSUER: "https://oauth2.sigstore.dev/auth"
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
dest="${{ inputs.artifacts-dir }}"
|
|
if [[ ! -d "$dest" ]]; then
|
|
echo "Destination $dest does not exist"
|
|
exit 1
|
|
fi
|
|
|
|
for binary in codex codex-responses-api-proxy; do
|
|
artifact="${dest}/${binary}"
|
|
if [[ ! -f "$artifact" ]]; then
|
|
echo "Binary $artifact not found"
|
|
exit 1
|
|
fi
|
|
|
|
cosign sign-blob \
|
|
--yes \
|
|
--bundle "${artifact}.sigstore" \
|
|
"$artifact"
|
|
done
|