From b6f31bfba7898778b71df3b1ac14a3cd51a2500e Mon Sep 17 00:00:00 2001 From: Cary Phillips Date: Wed, 14 Feb 2024 10:37:21 -0800 Subject: [PATCH 1/5] Add workflow to sign release artifacts with Sigstore Replicates the openexr workflow: https://github.com/AcademySoftwareFoundation/openexr/pull/1637 Signed-off-by: Cary Phillips --- .github/workflows/release-sign.yml | 57 ++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 .github/workflows/release-sign.yml diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml new file mode 100644 index 00000000..3133be78 --- /dev/null +++ b/.github/workflows/release-sign.yml @@ -0,0 +1,57 @@ +# SPDX-License-Identifier: BSD-3-Clause +# Copyright (c) Contributors to the OpenEXR Project. + +name: Sign Release + +on: + release: + types: [created] + +permissions: + contents: write + id-token: write + repository-projects: write + +jobs: + release: + name: Sign & upload release artifacts + runs-on: ubuntu-latest + + steps: + + - name: Checkout + uses: actions/checkout@v2 + + - name: Create archive + run: git archive --format=tar.gz -o Imath-${{ github.ref_name }}.tar.gz ${{ github.ref_name }} + + - name: Sign archive with Sigstore + uses: sigstore/gh-action-sigstore-python@v2.1.0 + with: + inputs: Imath-${{ github.ref_name }}.tar.gz + + - name: Get release tag + id: get_release + uses: bruceadams/get-release@v1.3.2 + env: + GITHUB_TOKEN: ${{ github.token }} + + - name: Upload release archive + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ github.token }} + with: + upload_url: ${{ steps.get_release.outputs.upload_url }} + asset_path: Imath-${{ github.ref_name }}.tar.gz + asset_name: Imath-${{ github.ref_name }}.tar.gz + asset_content_type: application/zip + + - name: Upload release sigstore + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ github.token }} + with: + upload_url: ${{ steps.get_release.outputs.upload_url }} + asset_path: Imath-${{ github.ref_name }}.tar.gz.sigstore + asset_name: Imath-${{ github.ref_name }}.tar.gz.sigstore + asset_content_type: application/zip \ No newline at end of file From 5ae58ce52dcaf0afa71a372ab517f0c3fc30d09a Mon Sep 17 00:00:00 2001 From: Cary Phillips Date: Thu, 15 Feb 2024 19:00:51 -0800 Subject: [PATCH 2/5] Use cosign and gh Signed-off-by: Cary Phillips --- .github/workflows/release-sign.yml | 38 +++++++++--------------------- 1 file changed, 11 insertions(+), 27 deletions(-) diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml index 3133be78..62455bb2 100644 --- a/.github/workflows/release-sign.yml +++ b/.github/workflows/release-sign.yml @@ -13,45 +13,29 @@ permissions: repository-projects: write jobs: - release: + sign-release: name: Sign & upload release artifacts runs-on: ubuntu-latest + env: + tarball: Imath-${{ github.ref_name }}.tar.gz steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3.3.0 + with: + cosign-release: 'v2.2.2' - name: Checkout uses: actions/checkout@v2 - name: Create archive - run: git archive --format=tar.gz -o Imath-${{ github.ref_name }}.tar.gz ${{ github.ref_name }} + run: git archive --format=tar.gz -o ${{ env.tarball }} ${{ github.ref_name }} - name: Sign archive with Sigstore - uses: sigstore/gh-action-sigstore-python@v2.1.0 - with: - inputs: Imath-${{ github.ref_name }}.tar.gz - - - name: Get release tag - id: get_release - uses: bruceadams/get-release@v1.3.2 - env: - GITHUB_TOKEN: ${{ github.token }} + run: cosign sign-blob --yes ${{ env.tarball }} --bundle ${{ env.tarball }}-cosign.bundle - name: Upload release archive - uses: actions/upload-release-asset@v1.0.2 env: - GITHUB_TOKEN: ${{ github.token }} - with: - upload_url: ${{ steps.get_release.outputs.upload_url }} - asset_path: Imath-${{ github.ref_name }}.tar.gz - asset_name: Imath-${{ github.ref_name }}.tar.gz - asset_content_type: application/zip + GH_TOKEN: ${{ github.token }} + run: gh release upload ${{ github.ref_name }} ${{ env.tarball }} ${{ env.tarball }}-cosign.bundle - - name: Upload release sigstore - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ github.token }} - with: - upload_url: ${{ steps.get_release.outputs.upload_url }} - asset_path: Imath-${{ github.ref_name }}.tar.gz.sigstore - asset_name: Imath-${{ github.ref_name }}.tar.gz.sigstore - asset_content_type: application/zip \ No newline at end of file From e9c81f73d2fd835933b12fe41fa9a61f0093cc4e Mon Sep 17 00:00:00 2001 From: Cary Phillips Date: Thu, 15 Feb 2024 19:05:34 -0800 Subject: [PATCH 3/5] Add comment reference to sigstore docs Signed-off-by: Cary Phillips --- .github/workflows/release-sign.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml index 62455bb2..4a4fcc2b 100644 --- a/.github/workflows/release-sign.yml +++ b/.github/workflows/release-sign.yml @@ -1,6 +1,10 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright (c) Contributors to the OpenEXR Project. +# See https://docs.sigstore.dev for documentation about sigstore, and +# https://docs.sigstore.dev/signing/signing_with_blobs for the details +# of cosign and the signing process. + name: Sign Release on: From 2beb8805d48fc1de83e8ced8666975ed425452d8 Mon Sep 17 00:00:00 2001 From: Cary Phillips Date: Tue, 20 Feb 2024 15:25:42 -0800 Subject: [PATCH 4/5] Use gh-action-sigstore-python Signed-off-by: Cary Phillips --- .github/workflows/release-sign.yml | 31 +++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/.github/workflows/release-sign.yml b/.github/workflows/release-sign.yml index 4a4fcc2b..7927017c 100644 --- a/.github/workflows/release-sign.yml +++ b/.github/workflows/release-sign.yml @@ -1,9 +1,19 @@ # SPDX-License-Identifier: BSD-3-Clause # Copyright (c) Contributors to the OpenEXR Project. -# See https://docs.sigstore.dev for documentation about sigstore, and -# https://docs.sigstore.dev/signing/signing_with_blobs for the details -# of cosign and the signing process. +# +# Releases are signed via https://github.com/sigstore/sigstore-python. +# See https://docs.sigstore.dev for information about sigstore. +# +# This action creates a .tar.gz of the complete Imath source tree at +# the given release tag, signs it via sigstore, and uploads the +# .tar.gz and the associated .tar.gz.sigstore credential bundle. +# +# To verify a downloaded release at a given tag: +# +# % pip install sigstore +# % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/Imath/.github/workflows/release-sign.yml@refs/tags/ Imath-.tar.gz +# name: Sign Release @@ -17,17 +27,14 @@ permissions: repository-projects: write jobs: - sign-release: + release: name: Sign & upload release artifacts runs-on: ubuntu-latest + env: tarball: Imath-${{ github.ref_name }}.tar.gz - + steps: - - name: Install Cosign - uses: sigstore/cosign-installer@v3.3.0 - with: - cosign-release: 'v2.2.2' - name: Checkout uses: actions/checkout@v2 @@ -36,10 +43,12 @@ jobs: run: git archive --format=tar.gz -o ${{ env.tarball }} ${{ github.ref_name }} - name: Sign archive with Sigstore - run: cosign sign-blob --yes ${{ env.tarball }} --bundle ${{ env.tarball }}-cosign.bundle + uses: sigstore/gh-action-sigstore-python@v2.1.1 + with: + inputs: ${{ env.tarball }} - name: Upload release archive env: GH_TOKEN: ${{ github.token }} - run: gh release upload ${{ github.ref_name }} ${{ env.tarball }} ${{ env.tarball }}-cosign.bundle + run: gh release upload ${{ github.ref_name }} ${{ env.tarball }} ${{ env.tarball }}.sigstore From c954f0327c3496ff4081f5818b2a9ab1ecf5eeab Mon Sep 17 00:00:00 2001 From: Cary Phillips Date: Tue, 20 Feb 2024 18:13:42 -0800 Subject: [PATCH 5/5] Update security policy Signed-off-by: Cary Phillips --- SECURITY.md | 81 +++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 72 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 9f663d82..aeb9ca01 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,13 +6,76 @@ ## Reporting a Vulnerability If you think you've found a potential vulnerability in Imath, please -report it by emailing security@openexr.com. Only OpenEXR Technical -Steering Committee members and Academy Software Foundation project -management have access to these messages. Include detailed steps to -reproduce the issue, and any other information that could aid an -investigation. Our policy is to respond to vulernability reports -within 14 days. - -Our policy is to address critical security vulnerabilities rapidly and -post patches as quickly as possible. +report it by filing a GitHub [security +advisory](https://github.com/AcademySoftwareFoundation/Imath/security/advisories/new). Alternatively, +email security@openexr.com and provide your contact info for further +private/secure discussion. If your email does not receive a prompt +acknowledgement, your address may be blocked. + +Our policy is to acknowledge the receipt of vulnerability reports +within 48 hours. Our policy is to address critical security vulnerabilities +rapidly and post patches within 14 days if possible. + +## Supported Versions + +This gives guidance about which branches are supported with patches to +security vulnerabilities. + +| Version / branch | Supported | +| --------- | ---------------------------------------------------- | +| main | :white_check_mark: :construction: ALL fixes immediately, but this is a branch under development with a frequently unstable ABI and occasionally unstable API. | +| 3.1.x | :white_check_mark: All fixes that can be backported without breaking ABI compatibility. | +| 3.0.x | :warning: Only the most critical fixes, only if they can be easily backported. | + +## Signed Releases + +Releases artifacts are signed via +[sigstore](https://www.sigstore.dev). See +[release-sign.yml](.github/workflows/release-sign.yml) for details. + +To verify a downloaded release at a given tag: + + % pip install sigstore + % sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/Imath/.github/workflows/release-sign.yml@refs/tags/ Imath-.tar.gz + +## Security Expectations + +### Software Features + +- The Imath project implements basic vector, matrix, and math + operations, and is used throughout the motion picture industry and + beyond, on Linux, macOS, and Windows. + +- The project consists of a software run-time library, implemented in + C/C++ and built via cmake. The project also distributes python + wrappings for the C/C++ I/O API. + +- The library provides no external input/output. + +- Other than the website and online technical documentation, the + project implements no web/online services or network communication + protocols. The library never requests any security or + authentication credentials or login information from users. + + The website implements no interactive features and requires no login + credentials. + +### Software Dependencies + +Imath has no external dependencies. + +The Imath python bindings depend on python and boost. + +### Development Cycle and Distribution + +Imath is downloadable and buildable by C/C++ source via GitHub. Only +members of the project's Technical Steering Committee, all veteran +software engineers at major motion picture studios or vendors, have +write permissions on the source code repository. All critical software +changes are reviewed by multiple TSC members. + +The library is distributed in binary form via many common package +managers across all platforms. + +