{"id":30709802,"url":"https://github.com/prefix-dev/sigstore-example","last_synced_at":"2026-02-13T11:22:07.840Z","repository":{"id":312701830,"uuid":"1048392115","full_name":"prefix-dev/sigstore-example","owner":"prefix-dev","description":"Signing a Conda package with Sigstore and uploading it to prefix.dev","archived":false,"fork":false,"pushed_at":"2026-02-05T11:38:00.000Z","size":28,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-05T22:58:50.505Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/prefix-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-01T11:24:14.000Z","updated_at":"2025-09-19T12:39:51.000Z","dependencies_parsed_at":"2025-09-01T14:20:49.753Z","dependency_job_id":"0733220f-0173-4553-b4b2-28a25f8ea8b1","html_url":"https://github.com/prefix-dev/sigstore-example","commit_stats":null,"previous_names":["prefix-dev/sigstore-example"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/prefix-dev/sigstore-example","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prefix-dev%2Fsigstore-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prefix-dev%2Fsigstore-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prefix-dev%2Fsigstore-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prefix-dev%2Fsigstore-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/prefix-dev","download_url":"https://codeload.github.com/prefix-dev/sigstore-example/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prefix-dev%2Fsigstore-example/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29403761,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-13T06:24:03.484Z","status":"ssl_error","status_checked_at":"2026-02-13T06:23:12.830Z","response_time":78,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-02T23:48:59.958Z","updated_at":"2026-02-13T11:22:07.836Z","avatar_url":"https://github.com/prefix-dev.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Sigstore Integration with prefix.dev\n\nA complete example demonstrating how to build a Conda package with cryptographic signatures using Sigstore attestations and trusted publishing to prefix.dev.\n\n## Overview\n\nThis repository showcases the integration of:\n\n- **`rattler-build`** - Building Conda packages\n- **Sigstore** - Creating cryptographic attestations (CEP-27 compliance)\n- **prefix.dev** - Trusted publishing without API keys\n- **GitHub Actions** - Automated CI/CD pipeline\n\n## How It Works\n\n### 1. Package Building\n\nThe workflow uses the `prefix-dev/rattler-build-action@v0.2.34` to:\n\n- Install `rattler-build`\n- Build the Conda package from the recipe in `conda.recipe/`\n\n### 2. Attestation Creation\n\nWe create a cryptographic attestation using GitHub's official attest action:\n\n```yaml\n- uses: actions/attest@v1\n  id: attest\n  with:\n    subject-path: \"**/*.conda\"\n    predicate-type: \"https://schemas.conda.org/attestations-publish-1.schema.json\"\n    predicate: \"{\\\"targetChannel\\\": \\\"https://prefix.dev/sigstore-example\\\"}\"\n```\n\nThis creates an attestation on the public Sigstore instance with CEP-27 compliance.\n\n\u003e **Note:** For private repositories, you'll need to enable Sigstore in your repository settings.\n\n### 3. Trusted Publishing Setup\n\nOn prefix.dev, we've configured trusted publishing to allow uploads from:\n\n- **Repository:** `prefix-dev/sigstore-example`\n- **Workflow:** `.github/workflows/action.yaml`\n\n![Trusted publishing configuration on prefix.dev](https://github.com/user-attachments/assets/8119f636-377a-48c9-8354-40226d2ea6b5)\n\n### 4. Secure Upload\n\nThe package and attestation are uploaded securely without API keys:\n\n```yaml\n- name: Upload the package\n  run: |\n    rattler-build upload prefix -c sigstore-example ./output/**/*.conda --attestation ${{ steps.attest.outputs.bundle-path }}\n```\n\n## 🔍 Verification \u0026 Results\n\n### Package Location\n\n- **Package:** [prefix.dev/channels/sigstore-example/packages/signed-package](https://prefix.dev/channels/sigstore-example/packages/signed-package)\n\n### Attestation Locations\n\nThe signature can be verified on multiple platforms:\n\n- **prefix.dev** - Package metadata\n- **[GitHub Attestations](https://github.com/prefix-dev/sigstore-example/attestations/10209596)** - Repository attestations\n- **[Sigstore Public Instance](https://search.sigstore.dev/?logIndex=456061810)** - Public transparency log\n\n## Verifying Attestations\n\n### Prerequisites\n\nInstall required tools (if not already available):\n\n```sh\npixi global install gh curl\n```\n\n### Download and Verify\n\n```sh\n# Download the package\ncurl -L https://prefix.dev/sigstore-example/linux-64/signed-package-2.1.0-hb0f4dca_0.conda -o package.conda\n\n# Verify the attestation\ngh attestation verify \\\n  --owner prefix-dev \\\n  --predicate-type \"https://schemas.conda.org/attestations-publish-1.schema.json\" \\\n  package.conda\n```\n\n### Expected Output\n\n```text\nLoaded digest sha256:3862a3677d33a45134a2ce3452b23f8f7459fe581cefbc3818272648cd987cfb for file://package.conda\nLoaded 1 attestation from GitHub API\n\nThe following policy criteria will be enforced:\n- Predicate type must match:................ https://schemas.conda.org/attestations-publish-1.schema.json\n- Source Repository Owner URI must match:... https://github.com/prefix-dev\n- Subject Alternative Name must match regex: (?i)^https://github.com/prefix-dev/\n- OIDC Issuer must match:................... https://token.actions.githubusercontent.com\n\n✓ Verification succeeded!\n\nThe following 1 attestation matched the policy criteria\n\n- Attestation #1\n- Build repo:..... prefix-dev/sigstore-example\n- Build workflow:. .github/workflows/action.yaml@refs/heads/main\n- Signer repo:.... prefix-dev/sigstore-example\n- Signer workflow: .github/workflows/action.yaml@refs/heads/main\n```\n\n## Alternative Verification Methods\n\nYou can also verify attestations using:\n\n- **`cosign`** - Sigstore's native CLI tool\n- **`sigstore-python`** - Python SDK for Sigstore verification\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprefix-dev%2Fsigstore-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprefix-dev%2Fsigstore-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprefix-dev%2Fsigstore-example/lists"}