From 802f2854cdeec37bbe8deccfcbee19ba2a367fc9 Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 08:03:20 +0300 Subject: [PATCH 01/18] Try Artifact Attestations --- .github/workflows/ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 926dee5..3c6f491 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -68,6 +68,9 @@ jobs: runs-on: windows-latest + permissions: + attestations: write + steps: - uses: actions/checkout@v3 - name: Add msbuild to PATH @@ -91,6 +94,11 @@ jobs: del bin\Win32\Release\*.ipdb tar.exe -acf x64-windows-release.zip bin\x64\Release tar.exe -acf x86-windows-release.zip bin\Win32\Release + - name: Attest Build Provenance + if: ${{ github.event_name == 'release' }} + uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 + with: + subject-path: '*-windows-release.zip' - name: Release if: ${{ github.event_name == 'release' }} uses: AButler/upload-release-assets@v2.0.2 From ea6065bea10379e72bd7167c7c2c71c500ec6baf Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 08:13:33 +0300 Subject: [PATCH 02/18] ci: Fix permissions --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c6f491..e49bec1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -70,6 +70,7 @@ jobs: permissions: attestations: write + id-token: write steps: - uses: actions/checkout@v3 From 9cd9c586073535ef8591d6c65fa7fed3cd50969c Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 08:29:42 +0300 Subject: [PATCH 03/18] ci: Try to figure out what are the required permissions --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e49bec1..3c0deb6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -71,6 +71,7 @@ jobs: permissions: attestations: write id-token: write + contents: write steps: - uses: actions/checkout@v3 From 0086ea6edf39faaac3d369b6b3288749b99c18ad Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 10:25:53 +0300 Subject: [PATCH 04/18] ci: Attest provenance for each build artefact, not just the archives --- .github/workflows/ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c0deb6..a2b7f8a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -98,9 +98,11 @@ jobs: tar.exe -acf x86-windows-release.zip bin\Win32\Release - name: Attest Build Provenance if: ${{ github.event_name == 'release' }} - uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 + uses: actions/attest-build-provenance@v1.1.0 with: - subject-path: '*-windows-release.zip' + subject-path: | + 'bin/**/Release/*' + '*-windows-release.zip' - name: Release if: ${{ github.event_name == 'release' }} uses: AButler/upload-release-assets@v2.0.2 From 2f53b0c2282c3bfc8fb6cf2448416913794a2f3a Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 10:37:02 +0300 Subject: [PATCH 05/18] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a2b7f8a..0c6f055 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -101,7 +101,7 @@ jobs: uses: actions/attest-build-provenance@v1.1.0 with: subject-path: | - 'bin/**/Release/*' + 'bin\**\Release\*' '*-windows-release.zip' - name: Release if: ${{ github.event_name == 'release' }} From 27779875308a5eca633bdc57c75c19e0b5109112 Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 10:49:10 +0300 Subject: [PATCH 06/18] Update ci.yml --- .github/workflows/ci.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0c6f055..72903d8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -96,12 +96,19 @@ jobs: del bin\Win32\Release\*.ipdb tar.exe -acf x64-windows-release.zip bin\x64\Release tar.exe -acf x86-windows-release.zip bin\Win32\Release + - name: Debug + run: | + dir . + dir bin + dir bin\Win32 + dir bin\Win32\Release - name: Attest Build Provenance if: ${{ github.event_name == 'release' }} uses: actions/attest-build-provenance@v1.1.0 with: subject-path: | - 'bin\**\Release\*' + 'bin\Win32\Release\*' + 'bin\x64\Release\*' '*-windows-release.zip' - name: Release if: ${{ github.event_name == 'release' }} From 982a08475be8d7c7ed72b36ec1dc29a09b2876df Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 10:54:24 +0300 Subject: [PATCH 07/18] Update ci.yml --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 72903d8..195f393 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -107,8 +107,8 @@ jobs: uses: actions/attest-build-provenance@v1.1.0 with: subject-path: | - 'bin\Win32\Release\*' - 'bin\x64\Release\*' + 'bin\**\Release\*.exe' + 'bin\**\Release\*.lib' '*-windows-release.zip' - name: Release if: ${{ github.event_name == 'release' }} From 02d5b9803f8b51f7e5cfd4021941cbf13306c620 Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 11:01:11 +0300 Subject: [PATCH 08/18] Update ci.yml --- .github/workflows/ci.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 195f393..b798313 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -107,8 +107,12 @@ jobs: uses: actions/attest-build-provenance@v1.1.0 with: subject-path: | - 'bin\**\Release\*.exe' - 'bin\**\Release\*.lib' + 'bin\x64\Release\disasmtool.exe' + 'bin\x64\Release\bddisasm.lib' + 'bin\x64\Release\bdshemu.lib' + 'bin\Win32\Release\disasmtool.exe' + 'bin\Win32\Release\bddisasm.lib' + 'bin\Win32\Release\bdshemu.lib' '*-windows-release.zip' - name: Release if: ${{ github.event_name == 'release' }} From e12c77a4cd88d7ece9acf26d845787bca0cbb650 Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 11:06:43 +0300 Subject: [PATCH 09/18] Update ci.yml --- .github/workflows/ci.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b798313..05c7c1f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -102,17 +102,19 @@ jobs: dir bin dir bin\Win32 dir bin\Win32\Release + dir bin\x64 + dir bin\x64\Release - name: Attest Build Provenance if: ${{ github.event_name == 'release' }} uses: actions/attest-build-provenance@v1.1.0 with: subject-path: | - 'bin\x64\Release\disasmtool.exe' - 'bin\x64\Release\bddisasm.lib' - 'bin\x64\Release\bdshemu.lib' - 'bin\Win32\Release\disasmtool.exe' - 'bin\Win32\Release\bddisasm.lib' - 'bin\Win32\Release\bdshemu.lib' + '.\bin\x64\Release\disasmtool.exe' + '.\bin\x64\Release\bddisasm.lib' + '.\bin\x64\Release\bdshemu.lib' + '.\bin\Win32\Release\disasmtool.exe' + '.\bin\Win32\Release\bddisasm.lib' + '.\bin\Win32\Release\bdshemu.lib' '*-windows-release.zip' - name: Release if: ${{ github.event_name == 'release' }} From ecba4412f5c1a484902a4510ad411326c295218b Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 11:23:02 +0300 Subject: [PATCH 10/18] Update ci.yml --- .github/workflows/ci.yml | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 05c7c1f..9da832b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -108,14 +108,22 @@ jobs: if: ${{ github.event_name == 'release' }} uses: actions/attest-build-provenance@v1.1.0 with: - subject-path: | - '.\bin\x64\Release\disasmtool.exe' - '.\bin\x64\Release\bddisasm.lib' - '.\bin\x64\Release\bdshemu.lib' - '.\bin\Win32\Release\disasmtool.exe' - '.\bin\Win32\Release\bddisasm.lib' - '.\bin\Win32\Release\bdshemu.lib' - '*-windows-release.zip' + subject-path: bin\x64\Release\disasmtool.exe + - name: Attest Build Provenance 2 + if: ${{ github.event_name == 'release' }} + uses: actions/attest-build-provenance@v1.1.0 + with: + subject-path: .\bin\x64\Release\disasmtool.exe + - name: Attest Build Provenance 3 + if: ${{ github.event_name == 'release' }} + uses: actions/attest-build-provenance@v1.1.0 + with: + subject-path: bin/x64/Release/disasmtool.exe + - name: Attest Build Provenance 4 + if: ${{ github.event_name == 'release' }} + uses: actions/attest-build-provenance@v1.1.0 + with: + subject-path: ./bin/x64/Release/disasmtool.exe - name: Release if: ${{ github.event_name == 'release' }} uses: AButler/upload-release-assets@v2.0.2 From 567a24b4f200568e4ed994e05ff8cdc6f9b5d633 Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 11:28:51 +0300 Subject: [PATCH 11/18] Update ci.yml --- .github/workflows/ci.yml | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9da832b..51f330f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -108,22 +108,14 @@ jobs: if: ${{ github.event_name == 'release' }} uses: actions/attest-build-provenance@v1.1.0 with: - subject-path: bin\x64\Release\disasmtool.exe - - name: Attest Build Provenance 2 - if: ${{ github.event_name == 'release' }} - uses: actions/attest-build-provenance@v1.1.0 - with: - subject-path: .\bin\x64\Release\disasmtool.exe - - name: Attest Build Provenance 3 - if: ${{ github.event_name == 'release' }} - uses: actions/attest-build-provenance@v1.1.0 - with: - subject-path: bin/x64/Release/disasmtool.exe - - name: Attest Build Provenance 4 - if: ${{ github.event_name == 'release' }} - uses: actions/attest-build-provenance@v1.1.0 - with: - subject-path: ./bin/x64/Release/disasmtool.exe + subject-path: | + .\bin\x64\Release\disasmtool.exe + .\bin\x64\Release\bddisasm.lib + .\bin\x64\Release\bdshemu.lib + .\bin\Win32\Release\disasmtool.exe + .\bin\Win32\Release\bddisasm.lib + .\bin\Win32\Release\bdshemu.lib + *-windows-release.zip - name: Release if: ${{ github.event_name == 'release' }} uses: AButler/upload-release-assets@v2.0.2 From ff8260e0dc4294864a18eb245337ef45965ea884 Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 11:40:00 +0300 Subject: [PATCH 12/18] Update ci.yml --- .github/workflows/ci.yml | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 51f330f..ff04387 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -57,6 +57,14 @@ jobs: cd build sudo make package cd - + - name: Attest Build Provenance + if: ${{ github.event_name == 'release' }} + uses: actions/attest-build-provenance@v1.1.0 + with: + subject-path: | + build/disasmtool + build/*.a + build/*.deb - name: Release if: ${{ github.event_name == 'release' }} uses: AButler/upload-release-assets@v2.0.2 @@ -96,25 +104,12 @@ jobs: del bin\Win32\Release\*.ipdb tar.exe -acf x64-windows-release.zip bin\x64\Release tar.exe -acf x86-windows-release.zip bin\Win32\Release - - name: Debug - run: | - dir . - dir bin - dir bin\Win32 - dir bin\Win32\Release - dir bin\x64 - dir bin\x64\Release - name: Attest Build Provenance if: ${{ github.event_name == 'release' }} uses: actions/attest-build-provenance@v1.1.0 with: subject-path: | - .\bin\x64\Release\disasmtool.exe - .\bin\x64\Release\bddisasm.lib - .\bin\x64\Release\bdshemu.lib - .\bin\Win32\Release\disasmtool.exe - .\bin\Win32\Release\bddisasm.lib - .\bin\Win32\Release\bdshemu.lib + bin\**\Release\* *-windows-release.zip - name: Release if: ${{ github.event_name == 'release' }} From 7f537ce01931f486131c047d5f611f596c199fb3 Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 11:48:52 +0300 Subject: [PATCH 13/18] Update ci.yml --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ff04387..99d3330 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,6 +28,11 @@ jobs: runs-on: ubuntu-latest + permissions: + attestations: write + id-token: write + contents: write + steps: - uses: actions/checkout@v3 - name: Build all From fc504017c9c330da0967597f2cd372346f42a530 Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 11:56:59 +0300 Subject: [PATCH 14/18] Update ci.yml --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 99d3330..f334e9c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -67,7 +67,7 @@ jobs: uses: actions/attest-build-provenance@v1.1.0 with: subject-path: | - build/disasmtool + build/disasmtool/disasmtool build/*.a build/*.deb - name: Release From fcf9c7967933e9b93cf82d63623ee059a67569ef Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 12:08:39 +0300 Subject: [PATCH 15/18] Update README.md --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index 75f6e74..9e4b14b 100644 --- a/README.md +++ b/README.md @@ -159,6 +159,23 @@ The results will be in the bin directory in the root of the repository. [nd_vsnprintf_s and nd_memset](#nd_vsnprintf_s-and-nd_memset) will not be defined by `bddisasm`, integrators must provide these functions. +## Using pre-compiled binaries + +Each release publishes static libraries, as well as the `disasmtool` CLI tool. + +You can verify these artifacts using [GitHub Artifact Attestation](https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/): + +```console +# Verify a component +$ gh attestation verify disasmtool -o bitdefender +# Or the entire bundle +$ gh attestation verify x86-windows-release.zip -o bitdefender +``` + +This is not available for bddisasm 2.1.4 or older. + +Note that this is currently a beta feature (see [Introducing Artifact Attestations–now in public beta](https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/) for details). + ## Decoding x86 instructions ### Decoding API From 95aab171e49b5b598e843fcb6c64048984941b8a Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 12:13:04 +0300 Subject: [PATCH 16/18] Update ci.yml --- .github/workflows/ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f334e9c..8acb3cc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: contents: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build all run: | mkdir build @@ -87,7 +87,7 @@ jobs: contents: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Add msbuild to PATH uses: microsoft/setup-msbuild@v1.3 - name: Setup Windows SDK @@ -129,7 +129,7 @@ jobs: permissions: read-all steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Add msbuild to PATH uses: microsoft/setup-msbuild@v1.3 - uses: ilammy/msvc-dev-cmd@v1 @@ -147,7 +147,7 @@ jobs: runs-on: macos-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Build all run: | mkdir build @@ -162,7 +162,7 @@ jobs: permissions: read-all steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Install cppcheck run: sudo apt install -y cppcheck - name: Run cppcheck From 690edbdf87ca11a5cae8c59657bd133098a451c2 Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 12:16:54 +0300 Subject: [PATCH 17/18] Update ci.yml --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8acb3cc..d5e1d35 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -89,7 +89,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Add msbuild to PATH - uses: microsoft/setup-msbuild@v1.3 + uses: microsoft/setup-msbuild@v2 - name: Setup Windows SDK uses: fbactions/setup-winsdk@v1 with: @@ -131,7 +131,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Add msbuild to PATH - uses: microsoft/setup-msbuild@v1.3 + uses: microsoft/setup-msbuild@v2 - uses: ilammy/msvc-dev-cmd@v1 - uses: seanmiddleditch/gha-setup-ninja@master - name: Build all From 4e37a3a312b5753bd836293d47b1c8565c2e18d2 Mon Sep 17 00:00:00 2001 From: Anichitei Ionel-Cristinel <49393881+ianichitei@users.noreply.github.com> Date: Wed, 8 May 2024 12:23:01 +0300 Subject: [PATCH 18/18] Update rust.yml --- .github/workflows/rust.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 1c90121..5dca5d4 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -20,7 +20,7 @@ jobs: permissions: read-all steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Set LIBCLANG_PATH run: echo "LIBCLANG_PATH=$((gcm clang).source -replace "clang.exe")" >> $env:GITHUB_ENV if: matrix.os == 'windows-latest'