feat: Sign sentry-prevent-cli binaries with Cosign (#86)

spalmurray · web-flow · commit ddf5e45754d2 · 2025-09-07T21:55:06.000+02:00
This PR adds Cosign signing for prevent-cli binaries. We decided to go
with Cosign over PGP like we have for the codecov CLI to avoid the
headaches of key management and overall I'm pretty happy with how easy
this is for both signer and verifier!

Closes CCMRG-452
diff --git a/.craft.yml b/.craft.yml
@@ -5,7 +5,7 @@ github:
 changelogPolicy: auto
 
 targets:
-  # For direct binary downloads + shasum + shasum.sig
+  # For direct binary downloads + cosign bundles
   - name: github
     tagPrefix: v
     checksums:
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -165,12 +165,26 @@ jobs:
     name: Package assets for Craft
     runs-on: ubuntu-latest
     needs: [build_for_pypi, build_assets, build_linux_assets]
+    permissions:
+      id-token: write # needed for signing binaries with OIDC token via Cosign
     steps:
       - name: Download artifacts
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           pattern: "{sentry-prevent-,codecov-,codecov}cli*"
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+
+      - name: Sign sentry-prevent-cli binaries
+        run: |
+          # Glob matches all prevent-cli binaries, not python wheel nor anything else.
+          for file in sentry-prevent-cli_*/sentry-prevent-cli_*; do
+            cosign sign-blob $file --bundle "$file.bundle" --yes;
+            # Test verification because why not
+            cosign verify-blob $file --bundle "$file.bundle" --certificate-identity-regexp="^https://github\.com/getsentry/prevent-cli/\.github/workflows/build\.yml@refs/heads/release/[0-9]+\.[0-9]+\.[0-9]+" --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+          done
+
       - name: Upload release artifact
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -180,3 +194,4 @@ jobs:
             sentry-prevent-cli_wheel/*
             codecovcli*
             codecov-cli_wheel/*
+            *.bundle
diff --git a/README.md b/README.md
@@ -14,9 +14,35 @@ The Sentry Prevent CLI is responsible for uploading code coverage and test resul
 
 # Installing
 
-As of today, you are not able to install the Sentry Prevent CLI. We are planning to release it on the PyPI and for direct download in the near future.
-
-If you're determined, you can build the CLI yourself from source by running `uv build` in the `prevent-cli` directory.
+### PyPI
+
+```
+pip install sentry-prevent-cli
+```
+
+### Binary
+
+We build and publish binaries for Linux, MacOS, and Windows. See our GitHub Releases for the full list of OS/architecture combinations we build for. We'll use our macos binary for demonstration purposes here:
+```
+curl -o sentry-prevent-cli -L "https://github.com/getsentry/prevent-cli/releases/latest/download/sentry-prevent-cli_macos"
+chmod +x sentry-prevent-cli
+```
+
+#### Verifying the binary
+If you'd like, you may use Sigstore's Cosign to verify the integrity of your download against our provided Cosign bundles and identity details. For more information on Cosign along with installation instructions, see their [documentation](https://docs.sigstore.dev/cosign/system_config/installation).
+
+First get the appropriate Cosign bundle from our GitHub Release assets. Appending `.bundle` to the binary URL will get you the right file.
+```
+curl -O -L "https://github.com/getsentry/prevent-cli/releases/latest/download/sentry-prevent-cli_macos.bundle"
+```
+Then, use `cosign` to verify the binary:
+```
+cosign verify-blob sentry-prevent-cli \
+    --bundle sentry-prevent-cli_macos.bundle \
+    --certificate-identity-regexp="^https://github\.com/getsentry/prevent-cli/\.github/workflows/build\.yml@refs/heads/release/[0-9]+\.[0-9]+\.[0-9]+" \
+    --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+```
+The OIDC identity here is associated with the specific workflow run that signs the binary. If the verification succeeds, you can trust you've recieved the same binary we built in our GitHub Actions workflow.
 
 # Usage
 
diff --git a/scripts/build_linux.sh b/scripts/build_linux.sh
@@ -14,9 +14,8 @@ cd ../codecov-cli
 uv run pyinstaller -F codecov_cli/main.py
 mv ./dist/main ./dist/codecovcli_$1
 
-# linux binary should be just codecovcli_linux
+# codecov linux binary should be just codecovcli_linux
 if [ $1 = "linux_x86_64" ]; then
     cd ..
-    mv ./prevent-cli/dist/sentry-prevent-cli_$1 ./prevent-cli/dist/sentry-prevent-cli_linux
     mv ./codecov-cli/dist/codecovcli_$1 ./codecov-cli/dist/codecovcli_linux
 fi
