Attestation update

.github/workflows/package.yml

@@ -22,6 +22,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     container: seladb/${{ matrix.image }}
     strategy:
       matrix:
@@ -66,6 +68,12 @@ jobs:
       - name: Package
         run: cmake --build "$BUILD_DIR" --target package
 
+      - name: Generate artifact attestation
+        id: attestation
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        with:
+          subject-path: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.deb,${{ env.BUILD_DIR }}/*.rpm"
+
       - name: Upload binaries to release
         if: github.ref_type == 'tag'
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
@@ -79,6 +87,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     strategy:
       matrix:
         include:
@@ -101,19 +111,27 @@ jobs:
             cmake --build "$BUILD_DIR" -j 4
             cmake --build "$BUILD_DIR" --target package
 
+      - name: Generate artifact attestation
+        id: attestation
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        with:
+          subject-path: "${{ env.BUILD_DIR }}/*.tar.gz"
+
       - name: Upload binaries to release
         if: github.ref_type == 'tag'
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           draft: true
           allowUpdates: true
           updateOnlyUnreleased: true
-          artifacts: ${{ env.BUILD_DIR }}/*.tar.gz
+          artifacts: "${{ env.BUILD_DIR }}/*.tar.gz"
 
   macos:
     runs-on: macos-12
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     strategy:
       matrix:
         xcode-version: [14.2.0, 13.4.1]
@@ -137,6 +155,12 @@ jobs:
       - name: Package
         run: cmake --build "$BUILD_DIR" --target package
 
+      - name: Generate artifact attestation
+        id: attestation
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        with:
+          subject-path: "${{ env.BUILD_DIR }}/*.tar.gz,${{ env.BUILD_DIR }}/*.pkg"
+
       - name: Upload binaries to release
         if: github.ref_type == 'tag'
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
@@ -150,6 +174,8 @@ jobs:
     runs-on: windows-latest
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     strategy:
       matrix:
         include:
@@ -200,14 +226,20 @@ jobs:
         shell: msys2 {0}
         run: cmake --build "$BUILD_DIR" --target package
 
+      - name: Generate artifact attestation
+        id: attestation
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        with:
+          subject-path: "${{ env.BUILD_DIR }}/*.zip"
+
       - name: Upload binaries to release
         if: github.ref_type == 'tag'
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           draft: true
           allowUpdates: true
           updateOnlyUnreleased: true
-          artifacts: ${{ env.BUILD_DIR }}/*.zip
+          artifacts: "${{ env.BUILD_DIR }}/*.zip"
 
   visual-studio:
     strategy:
@@ -219,6 +251,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
@@ -242,14 +276,20 @@ jobs:
       - name: Package
         run: cmake --build "$env:BUILD_DIR" --config ${{ matrix.configuration }} --target package
 
+      - name: Generate artifact attestation
+        id: attestation
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        with:
+          subject-path: "${{ env.BUILD_DIR }}/*.zip"
+
       - name: Upload binaries to release
         if: github.ref_type == 'tag'
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           draft: true
           allowUpdates: true
           updateOnlyUnreleased: true
-          artifacts: ${{ env.BUILD_DIR }}/*.zip
+          artifacts: "${{ env.BUILD_DIR }}/*.zip"
 
   android-build:
     strategy:
@@ -312,6 +352,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      attestations: write
+      id-token: write
 
     steps:
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
@@ -324,11 +366,18 @@ jobs:
           export PACKAGE_DIR=$(ls | grep pcapplusplus)
           echo "PACKAGE_DIR=$PACKAGE_DIR" >> $GITHUB_ENV
           tar cvf "${PACKAGE_DIR}.tar.gz" "${PACKAGE_DIR}"
+
+      - name: Generate artifact attestation
+        id: attestation
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        with:
+          subject-path: "${{ env.PACKAGE_DIR }}.tar.gz"
+
       - name: Upload binaries to release
         if: github.ref_type == 'tag'
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           draft: true
           allowUpdates: true
           updateOnlyUnreleased: true
-          artifacts: ${{ env.PACKAGE_DIR }}.tar.gz
+          artifacts: "${{ env.PACKAGE_DIR }}.tar.gz"

README.md

@@ -96,6 +96,20 @@ git clone https://github.com/seladb/PcapPlusPlus.git
 
 Follow the build instructions according to your platform in the [Build From Source](https://pcapplusplus.github.io/docs/install#build-from-source) page in PcapPlusPlus web-site.
 
+### Verify your packages
+
+PcapPlusPlus releases which newer than v23.09 are signed with GitHub attestation. You can verify the attestation of these packages with GitHub CLI. To verify packages you can follow the most recent instructions from [gh attestation verify](https://cli.github.com/manual/gh_attestation_verify). For simple instructions you can use the following command:
+
+```shell
+gh attestation verify <path-to-package-file> --repository seladb/PcapPlusPlus
+```
+
+and you should see the following output in your terminal:
+
+```shell
+✓ Verification succeeded!
+```
+
 ## Feature Overview
 
 - __Packet capture__ through an easy to use C++ wrapper for popular packet capture engines such as [libpcap](https://www.tcpdump.org/), [WinPcap](https://www.winpcap.org/), [Npcap](https://nmap.org/npcap/), [Intel DPDK](https://www.dpdk.org/), [eBPF AF_XDP](https://www.kernel.org/doc/html/next/networking/af_xdp.html), [ntop’s PF_RING](https://www.ntop.org/products/packet-capture/pf_ring/) and [raw sockets](https://en.wikipedia.org/wiki/Network_socket#Raw_socket) [[Learn more](https://pcapplusplus.github.io/docs/features#packet-capture)]