feat: linux codesign with sigstore #7674
Conversation
WIP WIP: updating windows code signing process with OIDC only keeping build and codesigning for local testing linx signing only Update to use the correct path
shijie-oai
force-pushed
the
shijie/linux-codesigning
branch
from
6802842 to
c12da5d
Compare
Add comment for cleaning up Codesign only on tag push
| permissions: | ||
| contents: read | ||
| id-token: write |
There was a problem hiding this comment.
Necessary for signstore to use keyless mode and create temp cert.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| permissions: | ||
| contents: read | ||
| id-token: write |
There was a problem hiding this comment.
The new job-level permissions block grants only contents: read and id-token: write, which zeros out all other scopes. This job still uses actions/cache@v4 and actions/upload-artifact@v5 later in the same workflow; both hit the Actions API and will return 403 when the GITHUB_TOKEN no longer has actions: read/write, so caches won’t restore/save and artifacts won’t upload, breaking the release build on every run. Please include the required actions scope (or avoid narrowing permissions here) so those steps keep working.
Useful? React with 👍 / 👎.
Summary
Linux codesigning with sigstore and test run output at https://github.com/openai/codex/actions/runs/19994328162?pr=7662.
Sigstore is one of the few ways for codesigning for linux platform. Linux is open sourced and therefore binary/dist validation comes with the build itself instead of a central authority like Windows or Mac. Alternative here is to use GPG which again a public key included with the bundle for validation. Advantage with Sigstore is that we do not have to create a private key for signing but rather with keyless signing.
This should be sufficient for us at this point and if we want to we can support GPG in the future.