Skip to content

feat: add build attestations and verification for installer binaries#22

Merged
zerosnacks merged 31 commits intomasterfrom
feat/attestations
Jan 22, 2026
Merged

feat: add build attestations and verification for installer binaries#22
zerosnacks merged 31 commits intomasterfrom
feat/attestations

Conversation

@zerosnacks
Copy link
Member

@zerosnacks zerosnacks commented Jan 21, 2026
edited
Loading

Summary

This PR adds build attestation generation to the release workflow and verification to the installer script, improving supply chain security for foundryup.

Changes

Release Workflow (.github/workflows/release.yml)

  • Added permissions: {} at the top level to restrict default permissions
  • Added job-level permissions for attestation generation:
    • id-token: write - Required for OIDC token to sign attestations
    • contents: read - Required to read repository contents
    • attestations: write - Required to upload attestations
  • Integrated actions/attest-build-provenance@v3 to generate attestations for each platform binary
  • Record attestation URLs to .attestation.txt files (e.g., foundryup_linux_amd64.attestation.txt)
  • Upload both binaries and attestation files as release artifacts

Installer Script (foundryup-init.sh)

  • Download attestation file before binary download
  • Extract expected SHA256 hash from GitHub attestation artifact
  • Verify downloaded binary hash matches attestation
  • Add --force / -f flag to skip verification (sets FOUNDRYUP_IGNORE_VERIFICATION=true)
  • Add get_ext helper function for Windows .exe extension handling
  • Display "binary verified ✓" on successful verification

Tests

  • Add script_get_ext_windows and script_get_ext_unix tests for extension helper
  • Add script_compute_sha256_known_value test for SHA256 computation
  • Add script_downloads_with_attestation_verification test asserting "binary verified ✓"
  • Add script_downloads_with_force_skips_attestation test for --force flag

Security Benefits

  • Supply chain integrity: Users can verify that binaries were built by GitHub Actions from the official repository
  • Tamper detection: Any modification to binaries after build will cause verification to fail
  • Transparency: Attestation artifacts are publicly available and auditable

Usage

Attestation verification happens automatically:

curl -L https://foundry.paradigm.xyz | bash

To skip verification (not recommended):

curl -L https://foundry.paradigm.xyz | bash -s -- --force

@zerosnacks zerosnacks self-assigned this Jan 21, 2026
@zerosnacks zerosnacks changed the title feat: add build attestations and verification feat: add build attestations and verification for installer binaries Jan 21, 2026
@zerosnacks zerosnacks changed the base branch from master to feat/expand-test-matrix January 21, 2026 10:27
@zerosnacks zerosnacks force-pushed the feat/expand-test-matrix branch from 5abfc31 to e19802a Compare January 21, 2026 10:32
Base automatically changed from feat/expand-test-matrix to master January 21, 2026 11:06
@zerosnacks
ci: enable ARM builds
09f97c1
@zerosnacks
feat: expand test matrix to match release matrix (#23)
bc096e4 
- Add all release targets to CI test matrix (musl, arm64)
- Add platform and arch labels to matrix
- Install musl-tools and cross-compilation tools for musl targets
- Use BASE_DIR/FOUNDRY_DIR pattern matching foundry for XDG support
- Add --yes alias for -y flag
- Fix test to unset XDG_CONFIG_HOME
@zerosnacks
feat: add build attestations and verification
35c9333 
- Update release workflow to generate attestations using actions/attest-build-provenance@v3
- Record attestation URLs to .attestation.txt files included in releases
- Add attestation verification to foundryup-init.sh installer script
- Support --force/-f flag and FOUNDRYUP_SKIP_VERIFY env var to skip verification
@zerosnacks
test: skip attestation verification in installer test
49a1058 
Attestations are not yet available for current releases, so skip
verification in the test to avoid failures when downloading.
@zerosnacks
fix: use try_download for attestations to avoid exit on 404
0e9aa70 
The downloader function exits on 404, which caused the script to fail
when attestations are not available. Use a new try_download function
that silently returns non-zero on failure instead.
@zerosnacks
temporarily disable -arm until release is ready
d0bea6b
@zerosnacks zerosnacks mentioned this pull request Jan 21, 2026
Closed
@zerosnacks zerosnacks marked this pull request as ready for review January 21, 2026 16:01
@zerosnacks
chore: release v0.0.3
428b1ec
@zerosnacks
test: add attestation verification tests for installer script
1b96d9b
@zerosnacks
fmt
56ebc83
@zerosnacks
fix: use printf instead of echo -n for POSIX compatibility
27658ec
@zerosnacks
fix: add .exe extension for Windows binaries
5ced3b9 
- Add get_ext helper function to return .exe for win32 platforms
- Simplify attestation verification test to assert 'binary verified ✓'
- Add tests for get_ext function
- Remove redundant tests
@zerosnacks zerosnacks merged commit a67a724 into master Jan 22, 2026
12 checks passed
@zerosnacks zerosnacks deleted the feat/attestations branch January 22, 2026 08:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@onbjerg onbjerg onbjerg approved these changes

@DaniPopes DaniPopes Awaiting requested review from DaniPopes DaniPopes is a code owner

@mattsse mattsse Awaiting requested review from mattsse mattsse is a code owner

@grandizzy grandizzy Awaiting requested review from grandizzy grandizzy is a code owner

@0xrusowsky 0xrusowsky Awaiting requested review from 0xrusowsky 0xrusowsky is a code owner

Assignees

@zerosnacks zerosnacks

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zerosnacks @onbjerg