feat: improve signature validation and refactor release scripts#46
Merged
technicalpickles merged 4 commits intomainfrom Sep 10, 2025
Merged
feat: improve signature validation and refactor release scripts#46technicalpickles merged 4 commits intomainfrom
technicalpickles merged 4 commits intomainfrom
Conversation
## Signature Validation Improvements - Add bundle format support to cosign signing process - Implement fallback verification (bundle -> signature -> multiple identity patterns) - Add immediate signature verification in GitHub Actions workflow - Improve error reporting with debugging information - Use GitHub CLI instead of curl for more reliable asset downloads ## Dynamic Version Management - Remove hard-coded versions from test scripts - Auto-detect current version from Cargo.toml - Update aqua configuration to support both bundle and signature formats ## Technical Changes - Enhanced validation script with multiple verification approaches - Added bundle support to aqua registry configuration - Improved error handling and debugging output - Better compatibility with different cosign versions This addresses the signature verification issues and makes the testing infrastructure more maintainable by eliminating hard-coded version references.
## Motivation - Complex shell logic in GitHub Actions is hard to test and maintain - Inline scripts make the workflow file harder to read - Dedicated scripts can be tested locally and reused ## Changes - **scripts/filter-release-files.sh**: Extract file filtering logic - **scripts/sign-release-binaries.sh**: Extract cosign signing logic - **scripts/verify-release-signatures.sh**: Extract signature verification - Update GitHub Actions workflow to use scripts instead of inline shell ## Benefits - ✅ Testable locally without GitHub Actions - ✅ Better error handling and logging - ✅ Cleaner workflow file - ✅ Reusable scripts for manual operations - ✅ Easier to debug and maintain ## Testing - Scripts include proper error handling - File filtering correctly excludes test files - All scripts have executable permissions
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR improves signature validation reliability and refactors the release process by extracting inline scripts into dedicated, testable shell scripts. The main focus is addressing cosign keyless verification failures by adding bundle format support alongside existing signature verification.
Key Changes:
- Adds bundle format support for cosign verification with signature fallback for compatibility
- Extracts release workflow logic into reusable shell scripts for better maintainability and local testing
- Implements dynamic version detection from Cargo.toml to eliminate hard-coded versions
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/verify-release-signatures.sh | New script for immediate signature verification with bundle and signature fallback |
| scripts/validate-signing.sh | Enhanced validation with bundle support, dynamic versioning, and improved error reporting |
| scripts/test-aqua-local.sh | Updated to use dynamic version detection from Cargo.toml |
| scripts/sign-release-binaries.sh | New script for signing binaries in both bundle and signature formats |
| scripts/filter-release-files.sh | New script to filter release files from distribution directory |
| aqua-registry-entry.yaml | Added bundle configuration alongside signature verification |
| .github/workflows/release.yml | Refactored to use extracted scripts and added immediate signature verification |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| # Try bundle verification first, then fall back to signature verification | ||
| if [ -f "${file}.bundle" ]; then | ||
| echo " Trying bundle verification..." | ||
| if cosign verify-blob --bundle "${file}.bundle" "$file" > /dev/null 2>&1; then |
There was a problem hiding this comment.
Bundle verification should specify certificate identity validation. Without identity checks, this could accept bundles signed by any valid certificate, potentially allowing malicious binaries to pass verification.
Suggested change
| if cosign verify-blob --bundle "${file}.bundle" "$file" > /dev/null 2>&1; then | |
| if cosign verify-blob \ | |
| --bundle "${file}.bundle" \ | |
| --certificate-identity "https://github.com/$REPO/.github/workflows/release.yml@refs/heads/main" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| "$file" > /dev/null 2>&1; then |
| # Try bundle verification first (more reliable) | ||
| if [ -f "$bundle_file" ]; then | ||
| echo " Trying bundle verification..." | ||
| if cosign verify-blob --bundle "$bundle_file" "$binary" > /dev/null 2>&1; then |
There was a problem hiding this comment.
Bundle verification lacks certificate identity validation. This could accept bundles from any valid certificate authority, compromising security. Should include --certificate-identity-regexp or similar validation.
Comment on lines
+110
to
+114
| cosign verify-blob \ | ||
| --signature "$sig_file" \ | ||
| --certificate-identity-regexp ".*$REPO.*" \ | ||
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | ||
| "$binary" || true |
There was a problem hiding this comment.
The loose regex pattern .*$REPO.* in certificate identity validation is overly permissive and could match unintended certificate identities, potentially allowing verification of malicious signatures.
technicalpickles
added a commit
that referenced
this pull request
Sep 10, 2025
## New Scripts ### monitor-release-workflow.sh - Monitor GitHub Actions release workflow until completion - Wait for new workflows to start or monitor in-progress runs - Configurable timeout and polling intervals - Detailed job status reporting - Robust error handling and colored output ### monitor-and-validate-release.sh - End-to-end monitoring and validation workflow - Automatically runs signature validation after release completes - Provides clear next steps for aqua registry submission - Comprehensive error reporting and debugging guidance ## Features - ✅ **Smart Detection**: Detects in-progress runs vs waiting for new ones - ✅ **Real-time Status**: Shows job-level progress during execution - ✅ **Automatic Validation**: Runs signature validation immediately after completion - ✅ **Error Handling**: Comprehensive error messages and debugging steps - ✅ **Configurable**: Customizable timeouts and polling intervals - ✅ **User-Friendly**: Colored output and clear progress indicators ## Usage \`\`\`bash # Monitor and validate automatically (recommended) ./scripts/monitor-and-validate-release.sh # Monitor workflow only ./scripts/monitor-release-workflow.sh # Custom configuration ./scripts/monitor-release-workflow.sh myorg/myrepo Release main 60 10 \`\`\` These scripts will be essential for validating the improved bundle-based signing process once PR #46 merges and triggers a new release.
4 tasks
technicalpickles
added a commit
that referenced
this pull request
Sep 10, 2025
This version bump will trigger a release with the new bundle-based signing process from PR #46, allowing us to validate that: - Bundle files (.bundle) are created correctly - Signature verification works with the new format - Both bundle and signature formats are available for aqua compatibility - Immediate verification in CI catches any signing issues Once this release completes, we can use the monitoring scripts to validate the improved signing process is working correctly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR addresses signature verification issues and refactors the release process for better maintainability and testing.
🔐 Signature Validation Improvements
Root Issue Fixed
Enhanced Verification
🔧 Release Process Refactoring
Extracted Scripts
Benefits
📦 Dynamic Version Management
No More Hard-Coded Versions
🎯 Aqua Registry Improvements
Enhanced Configuration
🧪 Testing & Validation
What's Been Tested
What Will Be Tested in CI
🚀 Expected Impact
For Users
For Maintainers
📋 Validation Checklist
🎯 Next Steps
After this PR merges:
This PR represents a significant improvement in the reliability and maintainability of our release signing process, setting us up for successful aqua registry submission.