Enable github_artifact_attestations for foundry-rs/foundry

[heri16]

Check List

• Read CONTRIBUTING.md
  • Read OSS Contribution Guide
• All commits are signed
  • This repository enables Require signed commits, so all commits must be signed
• Avoid force push
• Install and execute the package and confirm if the package works well
• Execute cmdx s to scaffold code

Enable github_artifact_attestations for foundry-rs/foundry

[suzuki-shunsuke]

Thank you for your contribution!

[suzuki-shunsuke]

📝 I'm looking into the version which they started to release attestations from.

• chore: Add GH attestation for foundry binaries foundry-rs/foundry#9546
  • foundry-rs/foundry@e22a9ec

[suzuki-shunsuke]

Why did you set 1.3.0-rc1?

[heri16]

Attestations were not fully enabled until 1.3.0-rc1. You can confirm this through the missing attestation artifacts in GitHub’s release page.

[suzuki-shunsuke]

The verification failed.

Error: HTTP 404: Not Found (https://api.github.com/repos/foundry-rs/foundry/attestations/sha256:f7cb873a296f08a61349b9a9114c3a0c171a1d33e4018f64ac21b7fa7c3ee9d7?per_page=30&predicate_type=https://slsa.dev/provenance/v1)

WARN[0007] execute gh attestation verify
args="attestation verify /tmp/887486218 -R foundry-rs/foundry --signer-workflow foundry-rs/foundry/.github/workflows/release.yml"
env=linux/arm64
error="exit status 1"
exe=/home/runner/.local/share/aquaproj-aqua/pkgs/github_release/github.com/cli/cli/v2.82.1/gh_2.82.1_linux_arm64.tar.gz/gh_2.82.1_linux_arm64/bin/gh 
package_name=foundry-rs/foundry
package_version=v1.4.4
program=aqua program_version=2.55.1 registry=standard

[suzuki-shunsuke]

I see. aqua can't verify their attestations because foundry create attestations of executable binaries instead of archive files (tarball and zip).
aqua verifies archive files, so the verification fails.

v1.4.4 https://github.com/foundry-rs/foundry/attestations/12664565

https://github.com/foundry-rs/foundry/blob/2f09f9a63dcb23907c560ceb0c06558835f10276/.github/workflows/release.yml#L261-L269

[heri16]

I see. aqua can't verify their attestations because foundry create attestations of executable binaries instead of archive files (tarball and zip). aqua verifies archive files, so the verification fails.

v1.4.4 https://github.com/foundry-rs/foundry/attestations/12664565

https://github.com/foundry-rs/foundry/blob/2f09f9a63dcb23907c560ceb0c06558835f10276/.github/workflows/release.yml#L261-L269

I’m not sure I understand. What would be the way forward to verify foundry binaries that are downloaded by aqua? Wouldn’t attestation of binaries be functionally equivalent to archive attestation? Could the Checksum module be made to work if foundry repo don’t produce checksums?