rodin/review-bot
2
1
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 6 Wiki Activity

Add signature verification for release binary downloads #25

New Issue
Closed
opened 2026-05-02 04:02:36 +00:00 by rodin · 1 comment
rodin commented 2026-05-02 04:02:36 +00:00
Owner
Copy Link
Copy Source

Problem

The composite action downloads the review-bot binary from a Gitea release and verifies a SHA256 checksum. Both the binary and checksum come from the same source — this guards against corruption but not a compromised distribution point.

Proposal

Sign release binaries with a GPG key (or cosign) and verify the signature in the composite action before executing. This provides cryptographic proof of authenticity, not just integrity.

Priority

Low — we control the Gitea instance and the release pipeline. This is defense-in-depth for a supply-chain attack scenario that requires compromising our infrastructure first.

Context

Flagged as [NIT] by the security reviewer in PR #22.

## Problem The composite action downloads the review-bot binary from a Gitea release and verifies a SHA256 checksum. Both the binary and checksum come from the same source — this guards against corruption but not a compromised distribution point. ## Proposal Sign release binaries with a GPG key (or cosign) and verify the signature in the composite action before executing. This provides cryptographic proof of authenticity, not just integrity. ## Priority Low — we control the Gitea instance and the release pipeline. This is defense-in-depth for a supply-chain attack scenario that requires compromising our infrastructure first. ## Context Flagged as [NIT] by the security reviewer in PR #22.
rodin commented 2026-05-02 19:08:12 +00:00
Author
Owner
Copy Link
Copy Source

Closing as wontfix. The threat model (we own the Gitea instance, checksums verify integrity) doesn't justify adding GPG/cosign infrastructure for an internal tool. If we ever publish this externally, we can revisit.

Closing as wontfix. The threat model (we own the Gitea instance, checksums verify integrity) doesn't justify adding GPG/cosign infrastructure for an internal tool. If we ever publish this externally, we can revisit.
rodin closed this issue 2026-05-02 19:08:13 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
ai-review
bug
needs-review
ready
Ready for human review
 self-reviewed
Self-review passed since last push
 wip
Work in progress - do not start new work on this PR
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
security-review-bot rodin (Rodin)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: rodin/review-bot#25
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?