|
| 1 | +# 0015. Require signed release tags for trusted upgrades |
| 2 | + |
| 3 | +Date: 2026-06-04 |
| 4 | + |
| 5 | +Status: Accepted |
| 6 | + |
| 7 | +## Context |
| 8 | + |
| 9 | +Instance operators refresh product-owned files with `npm run upgrade`. The upgrade process fetches an upstream Git ref, |
| 10 | +syncs product files such as `defaults/`, `scripts/`, and `package.json`, then can run build, test, and doctor commands |
| 11 | +from the synced product code. |
| 12 | + |
| 13 | +That means an upgrade ref is a supply-chain trust boundary. If the default ref is a mutable branch such as `main`, or if |
| 14 | +an unsigned release tag can be moved or recreated, a compromised upstream account or workflow could cause an instance |
| 15 | +operator to execute unreviewed upstream code during upgrade verification. |
| 16 | + |
| 17 | +Release signatures do not prove that the code is safe. They prove that a trusted release identity authorized the Git |
| 18 | +object being consumed. That is still valuable: it raises the cost of compromise, gives operators a stable provenance |
| 19 | +check before execution, and makes unauthorized or disputed release publication easier to detect. |
| 20 | + |
| 21 | +## Decision |
| 22 | + |
| 23 | +Use release-please to prepare release pull requests, version bumps, changelog entries, and release notes. Do not treat |
| 24 | +release-please as the final release signer. |
| 25 | + |
| 26 | +After the release pull request is merged, a trusted maintainer creates and pushes the release tag with Sigstore/gitsign. |
| 27 | +Release tags use the `vX.Y.Z` format. |
| 28 | + |
| 29 | +Trusted release signatures are Sigstore/gitsign signatures whose certificate identity is one of the pinned release |
| 30 | +signer identities in `.github/release-signers.json`, and whose certificate OIDC issuer is |
| 31 | +`https://github.com/login/oauth`. |
| 32 | + |
| 33 | +The initial trusted release signers are: |
| 34 | + |
| 35 | +- `code@Dicaire.com` |
| 36 | +- `felix@felixleger.com` |
| 37 | + |
| 38 | +Protect release tags with GitHub tag rules for `refs/tags/v*`: |
| 39 | + |
| 40 | +- block tag deletion |
| 41 | +- block tag updates and force-pushes |
| 42 | +- require the release tag to be created by a trusted maintainer |
| 43 | +- include administrators in the rules and avoid bypass actors |
| 44 | + |
| 45 | +Future upgrade hardening should make `npm run upgrade` default to the latest verified release tag instead of `main`, |
| 46 | +support explicit `--ref vX.Y.Z` pinning, warn on mutable branch refs, verify the selected release tag before extracting |
| 47 | +or executing product files, and document `--no-check` as the high-assurance "sync, review, then run checks" path. |
| 48 | + |
| 49 | +## Release Tag Procedure |
| 50 | + |
| 51 | +Configure gitsign for tag signing: |
| 52 | + |
| 53 | +```sh |
| 54 | +git config --global gpg.format x509 |
| 55 | +git config --global gpg.x509.program gitsign |
| 56 | +git config --global tag.gpgsign true |
| 57 | +``` |
| 58 | + |
| 59 | +After the release pull request has merged and `main` is clean: |
| 60 | + |
| 61 | +```sh |
| 62 | +git pull |
| 63 | +git tag -s vX.Y.Z -m "vX.Y.Z" |
| 64 | +gitsign verify --certificate-identity code@Dicaire.com --certificate-oidc-issuer https://github.com/login/oauth vX.Y.Z |
| 65 | +git push origin vX.Y.Z |
| 66 | +``` |
| 67 | + |
| 68 | +Use the signer identity that matches the maintainer creating the release. A second trusted signer may independently |
| 69 | +verify the pushed tag. |
| 70 | + |
| 71 | +## Consequences |
| 72 | + |
| 73 | +- Operators have a concrete provenance check before upgrade verification executes upstream product code. |
| 74 | +- Release publication depends on trusted maintainer identity rather than only GitHub workflow authority. |
| 75 | +- A compromised mutable branch is no longer an acceptable default upgrade source. |
| 76 | +- A compromised maintainer account can still sign a malicious release if its identity controls are defeated; this model |
| 77 | + is provenance and detection, not an anti-tamper guarantee. |
| 78 | +- GitHub tag protection becomes part of release operations. Some controls must be applied through GitHub repository or |
| 79 | + organization settings, or through the GitHub API with administrative credentials. |
| 80 | +- Future SLSA provenance can add build-process guarantees beyond tag identity. |
0 commit comments