From 8acc8c432f7a5577473c62018e139c62c4fe63f9 Mon Sep 17 00:00:00 2001 From: Ankith Date: Wed, 19 Jun 2024 12:52:55 +0530 Subject: [PATCH] Improve security of releases by adding hash checks --- .github/workflows/release-gh-draft.yml | 8 ++++++++ .github/workflows/release-pypi.yml | 11 +++++++++++ 2 files changed, 19 insertions(+) diff --git a/.github/workflows/release-gh-draft.yml b/.github/workflows/release-gh-draft.yml index 05bb1046e2..7cdf266047 100644 --- a/.github/workflows/release-gh-draft.yml +++ b/.github/workflows/release-gh-draft.yml @@ -55,6 +55,14 @@ jobs: id: ver run: echo "VER=${GITHUB_REF_NAME#'release/'}" >> $GITHUB_OUTPUT + # First generate release.sha512sum which contains hashes of all release files, then + # encrypt these hashes so that the hash file itself cannot be tampered with. + - name: Generate release hashes (encrypted) + run: | + cd pygame-wheels + sha512sum * > release.sha512sum + gpg --batch --output release.sha512sum.gpg --passphrase ${{ secrets.GITHUB_TOKEN }} --symmetric release.sha512sum + - name: Draft a release uses: softprops/action-gh-release@v2 with: diff --git a/.github/workflows/release-pypi.yml b/.github/workflows/release-pypi.yml index 151cff57cb..0b48d2eece 100644 --- a/.github/workflows/release-pypi.yml +++ b/.github/workflows/release-pypi.yml @@ -23,5 +23,16 @@ jobs: zipBall: false out-file-path: "dist" + # Check that all the files that successfully uploaded from the release-gh-draft + # action have not been tampered with. This however ignores any extra files that + # were manually added. + - name: Verify release hashes + run: | + cd dist + gpg --batch --output release.decrypted.sha512sum --passphrase ${{ secrets.GITHUB_TOKEN }} --decrypt release.sha512sum.gpg + diff -s release.sha512sum release.decrypted.sha512sum + sha512sum -c release.decrypted.sha512sum + rm release.* + - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@release/v1