The install actions at install/ampel/action.yml and install/bnd/action.yml (currently at v1.1.5 / commit ba6f58b71202) fetch their binaries with bare curl -Lo … and then chmod 0755, with no checksum, signature, or attestation verification step. For example, in install/ampel/action.yml:
- name: Install ampel
shell: bash
run: |
mkdir -p ${{ inputs.install-dir }}/bin || :
curl -Lo ${{ inputs.install-dir }}/bin/ampel${{ steps.platform.outputs.ext }} \
https://github.com/carabiner-dev/ampel/releases/download/${{ inputs.version }}/${{ steps.platform.outputs.filename }}
chmod 0755 ${{ inputs.install-dir }}/bin/ampel${{ steps.platform.outputs.ext }}
install/bnd/action.yml has the same shape for the bnd binary.
The Apache Software Foundation runs verify-action-build (https://github.com/apache/infrastructure-actions) on every action used by ASF projects. It flags both files as unverified binary downloads when reviewing ampel/verify for inclusion (apache/infrastructure-actions#802).
The release artifacts already include the underlying signing material — ampel-vX.Y.Z.provenance.json (SLSA provenance) for ampel and attestations.jsonl for bnd — so the chain exists; it's just not surfaced to consumers of the install actions.
A few options that would unblock ASF adoption:
- Add a
gh attestation verify step after the curl, e.g. gh attestation verify "$binary" --owner carabiner-dev. Cleanest if your attestations are published to GitHub's attestation transparency log.
- Publish a
SHA256SUMS file at release time and have the install action fetch + verify it (curl … && curl … SHA256SUMS && sha256sum -c).
- Use
cosign verify-blob against the existing .provenance.json (would need a sigstore/cosign-installer step in the install action too).
Happy to send a PR once you indicate which path you'd prefer.
(This is a security-process finding; nothing suggests the current binaries are bad — but a runner that fetches them has no way to detect tampering or registry compromise without an explicit verification step.)
The install actions at
install/ampel/action.ymlandinstall/bnd/action.yml(currently at v1.1.5 / commitba6f58b71202) fetch their binaries with barecurl -Lo …and thenchmod 0755, with no checksum, signature, or attestation verification step. For example, ininstall/ampel/action.yml:install/bnd/action.ymlhas the same shape for thebndbinary.The Apache Software Foundation runs
verify-action-build(https://github.com/apache/infrastructure-actions) on every action used by ASF projects. It flags both files as unverified binary downloads when reviewingampel/verifyfor inclusion (apache/infrastructure-actions#802).The release artifacts already include the underlying signing material —
ampel-vX.Y.Z.provenance.json(SLSA provenance) for ampel andattestations.jsonlfor bnd — so the chain exists; it's just not surfaced to consumers of the install actions.A few options that would unblock ASF adoption:
gh attestation verifystep after thecurl, e.g.gh attestation verify "$binary" --owner carabiner-dev. Cleanest if your attestations are published to GitHub's attestation transparency log.SHA256SUMSfile at release time and have the install action fetch + verify it (curl … && curl … SHA256SUMS && sha256sum -c).cosign verify-blobagainst the existing.provenance.json(would need asigstore/cosign-installerstep in the install action too).Happy to send a PR once you indicate which path you'd prefer.
(This is a security-process finding; nothing suggests the current binaries are bad — but a runner that fetches them has no way to detect tampering or registry compromise without an explicit verification step.)