From 0cf3c045f3df0e6419e19421a29708ad813581a1 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Sun, 19 May 2024 11:03:59 +0200 Subject: [PATCH 1/4] maliciously selects wrong signing policy --- .github/workflows/build-and-sign.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-and-sign.yml b/.github/workflows/build-and-sign.yml index 24588b2..f89507d 100644 --- a/.github/workflows/build-and-sign.yml +++ b/.github/workflows/build-and-sign.yml @@ -43,7 +43,8 @@ jobs: api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}' project-slug: 'Demo_Application' - signing-policy-slug: '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}' + # maliciously try to get a release signature from a feature branch + signing-policy-slug: 'release-signing' github-artifact-name: "demo-application" wait-for-completion: true output-artifact-directory: 'demo-application-signed' From 36245d984ee44bad8c1f7d487a33538dae8724bb Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Mon, 27 May 2024 16:36:50 +0200 Subject: [PATCH 2/4] prepares for updated to v0.4 --- .github/workflows/build-and-sign.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-and-sign.yml b/.github/workflows/build-and-sign.yml index f89507d..57a1bd8 100644 --- a/.github/workflows/build-and-sign.yml +++ b/.github/workflows/build-and-sign.yml @@ -6,8 +6,6 @@ run-name: Demo workflow signing with SignPath on: push: pull_request: - #schedule: - # - cron: '30 3 * * *' # every day at 3:30am UTC workflow_dispatch: # Allows you to run this workflow manually from the Actions tab jobs: @@ -27,6 +25,7 @@ jobs: run: ./sbom/Create-SBOM.ps1 - name: upload-unsigned-artifact + id: upload-unsigned-artifact uses: actions/upload-artifact@v4 with: name: "demo-application" @@ -38,14 +37,18 @@ jobs: - name: sign uses: signpath/github-action-submit-signing-request@v0.3 env: - SIGNPATH_SIGNING_POLICY_SLUG: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && 'release-signing' || 'test-signing' }} + # select release-signing policy for main and release branches + SIGNPATH_SIGNING_POLICY_SLUG: | + ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) + && 'release-signing' + || 'test-signing' }} with: api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}' project-slug: 'Demo_Application' # maliciously try to get a release signature from a feature branch signing-policy-slug: 'release-signing' - github-artifact-name: "demo-application" + github-artifact-id: "${{steps.upload-unsigned-artifact.outputs.artifact-id}}" wait-for-completion: true output-artifact-directory: 'demo-application-signed' From 63c57058ca70561d70888f7aa3008d04548e4795 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Mon, 27 May 2024 16:39:32 +0200 Subject: [PATCH 3/4] prepares for updated to v0.4 (part 2) --- .github/workflows/build-and-sign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-sign.yml b/.github/workflows/build-and-sign.yml index 57a1bd8..a02b949 100644 --- a/.github/workflows/build-and-sign.yml +++ b/.github/workflows/build-and-sign.yml @@ -35,7 +35,7 @@ jobs: .\_BuildResult-unsigned\bom.xml - name: sign - uses: signpath/github-action-submit-signing-request@v0.3 + uses: signpath/github-action-submit-signing-request@v0.4 env: # select release-signing policy for main and release branches SIGNPATH_SIGNING_POLICY_SLUG: | From af79d4b783ec99edaa516650b181803b14e480a6 Mon Sep 17 00:00:00 2001 From: Paul Savoie Date: Mon, 9 Feb 2026 12:55:21 +0100 Subject: [PATCH 4/4] adds compatibility with dotnet cyclonedx 6.x --- sbom/Create-SBOM.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sbom/Create-SBOM.ps1 b/sbom/Create-SBOM.ps1 index 5632ace..4af6e99 100644 --- a/sbom/Create-SBOM.ps1 +++ b/sbom/Create-SBOM.ps1 @@ -24,7 +24,7 @@ dotnet tool install cyclonedx --tool-path $tempPath # 2.b create nuget bom $cyclonDxToolPath = Join-Path $tempPath "dotnet-CycloneDX.exe" -& "${cyclonDxToolPath}" --output "${tempPath}" -f "nuget.bom.xml" --exclude-dev src\DemoExample.csproj +& "${cyclonDxToolPath}" --output "${tempPath}" --filename "nuget.bom.xml" --exclude-dev src\DemoExample.csproj # 3 Create NPM SBOM $packageJsonPath = Join-Path $PSScriptRoot ".." "src" "package.json" @@ -52,4 +52,4 @@ if (-Not (Test-Path $cycloneDxCliToolPath)) { # 4.b merge both SBOMs into a final one $nugetBomPath = Join-Path $tempPath "nuget.bom.xml" $finalBomPath = Join-Path $PSScriptRoot ".." "_BuildResult-unsigned" "bom.xml" -& "${cycloneDxCliToolPath}" merge --input-files "${npmBomPath}" "${nugetBomPath}" --output-format "xml" --output-file "${finalBomPath}" --group "com.SignPath.demos" --name "SignPath Demo Application" --version "1.0.0" \ No newline at end of file +& "${cycloneDxCliToolPath}" merge --input-files "${npmBomPath}" "${nugetBomPath}" --output-format "xml" --output-file "${finalBomPath}" --group "com.SignPath.demos" --name "SignPath Demo Application" --version "1.0.0"