Skip to content

Improve Release Provenance #475

Description

@lishaduck

Hey Cosmo! I installed Sine in Windows yesterday 🥳, hit the Trojan warning (but ignored it), and then I finally joined the Discord and immediately was hit with the "Sine is a virus" garbage.

I thought it might be helpful to you if I provided some resources to help out here:

  • Create releases in CI
  • Pin GitHub actions to full-length SHAs (or set up the lockfile once that's GA)
  • Use lockfiles for the project dependencies
  • Build binaries in CI
    • CosmoCreeper/Sine
    • sineorg/bootloader
    • Sineorg/installer
  • Set up immutable releases to ensure releases aren't tampered with (possible with current configuration?)
  • Set up actions/attest to ensure that the binaries are the same as the ones built by CI
  • Get a free signing certificate from SignPath

Obviously, only the last one will help with actually preventing the Trojan warnings, but given how much of a pain it is, that'll be a bit and we really should be doing the rest if we want to actually claim it's secure.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requeststagedTo be fixed/added in the next update.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions