Merge branch 'trunk' into attestation-bundle-fetch-improvements

2025-01-24 09:26:59 -07:00 · 2025-01-24 09:26:59 -07:00 · 9e573d1e10
commit 9e573d1e10
parent 840fe2198c 77cc1b17bd
3 changed files with 41 additions and 5 deletions
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@ -203,10 +203,8 @@ jobs:
              platform="x64"
              ;;
            *_arm64 )
-              echo "skipping building MSI for arm64 because WiX 3.11 doesn't support it: https://github.com/wixtoolset/issues/issues/6141" >&2
-              continue
-              #source_dir="$PWD/dist/windows_windows_arm64"
-              #platform="arm64"
+              source_dir="$PWD/dist/windows_windows_arm64"
+              platform="arm64"
              ;;
            * )
              printf "unsupported architecture: %s\n" "$MSI_NAME" >&2
@ -299,7 +297,7 @@ jobs:
          rpmsign --addsign dist/*.rpm
      - name: Attest release artifacts
        if: inputs.environment == 'production'
-        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
        with:
          subject-path: "dist/gh_*"
      - name: Run createrepo
--- a/test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh
+++ b/test/integration/attestation-cmd/verify/verify-with-custom-trusted-root.sh
@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Get the root directory of the repository
+rootDir="$(git rev-parse --show-toplevel)"
+
+ghBuildPath="$rootDir/bin/gh"
+
+artifactPath="$rootDir/pkg/cmd/attestation/test/data/sigstore-js-2.1.0.tgz"
+bundlePath="$rootDir/pkg/cmd/attestation/test/data/sigstore-js-2.1.0_with_2_bundles.jsonl"
+
+# Download a custom trusted root for verification
+if ! $ghBuildPath attestation trusted-root > trusted_root.jsonl; then
+    # cleanup test data
+    echo "Failed to download trusted root"
+    exit 1
+fi
+
+if ! $ghBuildPath attestation verify "$artifactPath" -b "$bundlePath" --digest-alg=sha512 --owner=sigstore --custom-trusted-root trusted_root.jsonl; then
+    echo "Failed to verify package with a Sigstore v0.2.0 bundle"
+    exit 1
+fi
--- a/test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh
+++ b/test/integration/attestation-cmd/verify/verify-with-internal-github-sigstore.sh
@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Get the root directory of the repository
+rootDir="$(git rev-parse --show-toplevel)"
+
+ghBuildPath="$rootDir/bin/gh"
+
+ghCLIArtifact="$rootDir/pkg/cmd/attestation/test/data/gh_2.60.1_windows_arm64.zip"
+
+# Verify the gh CLI artifact
+echo "Testing with package $ghCLIArtifact"
+if ! $ghBuildPath attestation verify "$ghCLIArtifact" --digest-alg=sha256 --owner=cli; then
+    echo "Failed to verify"
+    exit 1
+fi