From 91ec72428b47f41a6fe0649f70b08c28ed4da550 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 11:12:22 -0400 Subject: [PATCH 01/14] Test cosign --- .github/workflows/build.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4e12b8ae..83b2df18 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -165,12 +165,22 @@ jobs: name: Package assets for Craft runs-on: ubuntu-latest needs: [build_for_pypi, build_assets, build_linux_assets] + permissions: + id-token: write # needed for signing binaries with OIDC token via Cosign steps: - name: Download artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: "{sentry-prevent-,codecov-,codecov}cli*" + - name: Install Cosign + uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 + + - name: Sign sentry-prevent-cli binaries + run: cosign sign-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos.bundle --yes + + - run: ls + - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: @@ -180,3 +190,4 @@ jobs: sentry-prevent-cli_wheel/* codecovcli* codecov-cli_wheel/* + *.bundle From 58eadd7708b1f7dde4e19d7b1ce469443b5903d0 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 11:34:50 -0400 Subject: [PATCH 02/14] Test verification --- .github/workflows/build.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 83b2df18..fabb4315 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -177,10 +177,13 @@ jobs: uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - name: Sign sentry-prevent-cli binaries - run: cosign sign-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos.bundle --yes + run: cosign sign-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --yes - run: ls + - name: test verification + run: cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: From e7ca4f690fa6c982753a03bf36f56402ac601079 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 12:50:17 -0400 Subject: [PATCH 03/14] sign the rest of em --- .github/workflows/build.yml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fabb4315..098cc3a3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -177,12 +177,25 @@ jobs: uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - name: Sign sentry-prevent-cli binaries - run: cosign sign-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --yes + run: | + cosign sign-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --yes + cosign sign-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --yes + cosign sign-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --yes + cosign sign-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --yes + cosign sign-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --yes + cosign sign-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --yes - - run: ls + - run: ls -R - name: test verification - run: cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + run: | + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From 044149d400e96e222c1729fa80622bbc60d3a8cd Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:05:20 -0400 Subject: [PATCH 04/14] Make prevent linux have x86_64 suffix --- scripts/build_linux.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts/build_linux.sh b/scripts/build_linux.sh index 446596b6..88403a58 100755 --- a/scripts/build_linux.sh +++ b/scripts/build_linux.sh @@ -14,9 +14,8 @@ cd ../codecov-cli uv run pyinstaller -F codecov_cli/main.py mv ./dist/main ./dist/codecovcli_$1 -# linux binary should be just codecovcli_linux +# codecov linux binary should be just codecovcli_linux if [ $1 = "linux_x86_64" ]; then cd .. - mv ./prevent-cli/dist/sentry-prevent-cli_$1 ./prevent-cli/dist/sentry-prevent-cli_linux mv ./codecov-cli/dist/codecovcli_$1 ./codecov-cli/dist/codecovcli_linux fi From 2185a5cfe8d6c9be07ca4e163d641f661096083d Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:08:19 -0400 Subject: [PATCH 05/14] Remove accidental flag --- .github/workflows/build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 098cc3a3..b32a0e1d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -190,12 +190,12 @@ jobs: - name: test verification run: | cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --yes --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From daf7ec7dddcaa2136278a888c1c08db15319e534 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:23:13 -0400 Subject: [PATCH 06/14] Tweak craft comment --- .craft.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.craft.yml b/.craft.yml index d7a4b107..996b6f13 100644 --- a/.craft.yml +++ b/.craft.yml @@ -5,7 +5,7 @@ github: changelogPolicy: auto targets: - # For direct binary downloads + shasum + shasum.sig + # For direct binary downloads + cosign bundles - name: github tagPrefix: v checksums: From aae1743727586cf3cbdd394d0f2a42ababce543c Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:26:20 -0400 Subject: [PATCH 07/14] Try ref name in verify --- .github/workflows/build.yml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b32a0e1d..43466971 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -185,17 +185,15 @@ jobs: cosign sign-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --yes cosign sign-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --yes - - run: ls -R - - - name: test verification + - name: Test verification run: | - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/release/99.9.9 --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From d6f8d24bfc90dc16ca45ea34d3888aeba8375878 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:27:15 -0400 Subject: [PATCH 08/14] oops --- .github/workflows/build.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 43466971..94b994a1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -187,13 +187,13 @@ jobs: - name: Test verification run: | - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ gh.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From 6d8f0039bd7d6f55c2a266061b15d72d2bc3025e Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:30:38 -0400 Subject: [PATCH 09/14] Remove extra verify --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 94b994a1..e99e2914 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -187,7 +187,6 @@ jobs: - name: Test verification run: | - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com From 3aee84810c53cfe29d57c3069a8ff5ad11110141 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 13:43:45 -0400 Subject: [PATCH 10/14] Use regex for cert identity --- .github/workflows/build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e99e2914..cc3ffbbd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -187,12 +187,12 @@ jobs: - name: Test verification run: | - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity=https://github.com/getsentry/prevent-cli/.github/workflows/build.yml@refs/heads/${{ github.ref_name }} --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 From fd4f6aa2536bef6273390938eabb01c8239fab79 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 17:16:02 -0400 Subject: [PATCH 11/14] Rewrite installation section of README --- README.md | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3cec6593..cf1a2c36 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,32 @@ The Sentry Prevent CLI is responsible for uploading code coverage and test resul # Installing -As of today, you are not able to install the Sentry Prevent CLI. We are planning to release it on the PyPI and for direct download in the near future. - -If you're determined, you can build the CLI yourself from source by running `uv build` in the `prevent-cli` directory. +### PyPI + +``` +pip install sentry-prevent-cli +``` + +### Binary + +We build and publish binaries for Linux, MacOS, and Windows. See our GitHub Releases for the full list of OS/architecture combos we build for. We'll use our macos binary for demonstration purposes here: +``` +curl -o sentry-prevent-cli -L "https://github.com/getsentry/prevent-cli/releases/latest/download/sentry-prevent-cli_macos" +chmod +x sentry-prevent-cli +``` + +#### Verifying the binary +If you'd like, you may use Sigstore's Cosign to verify the integrity of your download against our provided Cosign bundles and identity details. For more information on Cosign along with installation instructions, see their [documentation](https://docs.sigstore.dev/cosign/system_config/installation). + +First get the appropriate Cosign bundle from our GitHub Release assets. Appending `.bundle` to the binary URL will get you the right file. +``` +curl -O -L "https://github.com/getsentry/prevent-cli/releases/latest/download/sentry-prevent-cli_macos.bundle" +``` +Then, use `cosign` to verify the binary: +``` +cosign verify-blob sentry-prevent-cli --bundle sentry-prevent-cli_macos.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli --certificate-oidc-issuer=https://token.actions.githubusercontent.com +``` +The OIDC identity here is associated with the specific workflow run that signs the binary. If this command says the binary is verified, you can trust you've recieved the same binary we built in our GitHub Actions workflow. # Usage From b5f18fac1d961616ac293382f27fc1c332f0ddbe Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 17:22:34 -0400 Subject: [PATCH 12/14] Tweaks to readme --- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index cf1a2c36..f8c30a89 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ pip install sentry-prevent-cli ### Binary -We build and publish binaries for Linux, MacOS, and Windows. See our GitHub Releases for the full list of OS/architecture combos we build for. We'll use our macos binary for demonstration purposes here: +We build and publish binaries for Linux, MacOS, and Windows. See our GitHub Releases for the full list of OS/architecture combinations we build for. We'll use our macos binary for demonstration purposes here: ``` curl -o sentry-prevent-cli -L "https://github.com/getsentry/prevent-cli/releases/latest/download/sentry-prevent-cli_macos" chmod +x sentry-prevent-cli @@ -37,9 +37,12 @@ curl -O -L "https://github.com/getsentry/prevent-cli/releases/latest/download/se ``` Then, use `cosign` to verify the binary: ``` -cosign verify-blob sentry-prevent-cli --bundle sentry-prevent-cli_macos.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli --certificate-oidc-issuer=https://token.actions.githubusercontent.com +cosign verify-blob sentry-prevent-cli \ + --bundle sentry-prevent-cli_macos.bundle \ + --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com ``` -The OIDC identity here is associated with the specific workflow run that signs the binary. If this command says the binary is verified, you can trust you've recieved the same binary we built in our GitHub Actions workflow. +The OIDC identity here is associated with the specific workflow run that signs the binary. If the verification succeeds, you can trust you've recieved the same binary we built in our GitHub Actions workflow. # Usage From cab76bd8c1526cf54bece3c4114e41a6244f3a7c Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 17:24:45 -0400 Subject: [PATCH 13/14] Oops --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f8c30a89..4304df90 100644 --- a/README.md +++ b/README.md @@ -37,9 +37,9 @@ curl -O -L "https://github.com/getsentry/prevent-cli/releases/latest/download/se ``` Then, use `cosign` to verify the binary: ``` -cosign verify-blob sentry-prevent-cli \ +cosign verify-blob sentry-prevent-cli \ --bundle sentry-prevent-cli_macos.bundle \ - --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli \ + --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com ``` The OIDC identity here is associated with the specific workflow run that signs the binary. If the verification succeeds, you can trust you've recieved the same binary we built in our GitHub Actions workflow. From dd95d320d891969a58ce07d764d93dc77c092422 Mon Sep 17 00:00:00 2001 From: Spencer Murray Date: Thu, 31 Jul 2025 17:54:29 -0400 Subject: [PATCH 14/14] Simplify signing with for loop --- .github/workflows/build.yml | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cc3ffbbd..d4977d4f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -178,21 +178,12 @@ jobs: - name: Sign sentry-prevent-cli binaries run: | - cosign sign-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --yes - cosign sign-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --yes - cosign sign-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --yes - cosign sign-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --yes - cosign sign-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --yes - cosign sign-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --yes - - - name: Test verification - run: | - cosign verify-blob sentry-prevent-cli_macos/sentry-prevent-cli_macos --bundle sentry-prevent-cli_macos/sentry-prevent-cli_macos.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe --bundle sentry-prevent-cli_windows.exe/sentry-prevent-cli_windows.exe.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64 --bundle sentry-prevent-cli_alpine_arm64/sentry-prevent-cli_alpine_arm64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64 --bundle sentry-prevent-cli_alpine_x86_64/sentry-prevent-cli_alpine_x86_64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64 --bundle sentry-prevent-cli_linux_arm64/sentry-prevent-cli_linux_arm64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com - cosign verify-blob sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64 --bundle sentry-prevent-cli_linux_x86_64/sentry-prevent-cli_linux_x86_64.bundle --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + # Glob matches all prevent-cli binaries, not python wheel nor anything else. + for file in sentry-prevent-cli_*/sentry-prevent-cli_*; do + cosign sign-blob $file --bundle "$file.bundle" --yes; + # Test verification because why not + cosign verify-blob $file --bundle "$file.bundle" --certificate-identity-regexp=^https://github.com/getsentry/prevent-cli/ --certificate-oidc-issuer=https://token.actions.githubusercontent.com + done - name: Upload release artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2