fix: resolve status command to ~/.auths, add release signing and workflow scripts

Author: bordumb

.github/workflows/release.yml

@@ -98,13 +98,49 @@ jobs:
           $hash = (Get-FileHash ${{ matrix.asset_name }}${{ matrix.ext }} -Algorithm SHA256).Hash.ToLower()
           "$hash  ${{ matrix.asset_name }}${{ matrix.ext }}" | Out-File -Encoding ascii ${{ matrix.asset_name }}${{ matrix.ext }}.sha256
 
+      - name: Install auths for artifact signing (Unix)
+        if: matrix.ext == '.tar.gz'
+        run: |
+          cargo build --release --package auths-cli
+          sudo cp target/release/auths /usr/local/bin/auths
+
+      - name: Sign artifact (Unix)
+        if: matrix.ext == '.tar.gz'
+        env:
+          AUTHS_PASSPHRASE: ${{ secrets.AUTHS_CI_PASSPHRASE }}
+          AUTHS_CI_KEYCHAIN_B64: ${{ secrets.AUTHS_CI_KEYCHAIN }}
+          AUTHS_CI_IDENTITY_BUNDLE_B64: ${{ secrets.AUTHS_CI_IDENTITY_BUNDLE }}
+          AUTHS_KEYCHAIN_BACKEND: file
+          AUTHS_KEYCHAIN_FILE: /tmp/auths-ci-keychain
+        run: |
+          if [ -z "$AUTHS_PASSPHRASE" ] || [ -z "$AUTHS_CI_KEYCHAIN_B64" ] || [ -z "$AUTHS_CI_IDENTITY_BUNDLE_B64" ]; then
+            echo "Skipping artifact signing: AUTHS_CI_PASSPHRASE, AUTHS_CI_KEYCHAIN, and AUTHS_CI_IDENTITY_BUNDLE must all be set (run 'just ci-setup' to populate them)"
+            exit 0
+          fi
+
+          printf '%s' "$AUTHS_CI_KEYCHAIN_B64" | tr -d '[:space:]' | base64 -d > /tmp/auths-ci-keychain
+          mkdir -p /tmp/auths-identity
+          printf '%s' "$AUTHS_CI_IDENTITY_BUNDLE_B64" | tr -d '[:space:]' | base64 -d | tar -xz -C /tmp/auths-identity
+
+          if ! git -C /tmp/auths-identity rev-parse --git-dir > /dev/null 2>&1; then
+            echo "Skipping artifact signing: AUTHS_CI_IDENTITY_BUNDLE does not contain a valid git repository."
+            echo "Re-run 'just ci-setup' to regenerate the secret, then update AUTHS_CI_IDENTITY_BUNDLE in GitHub Secrets."
+            exit 0
+          fi
+
+          auths artifact sign ${{ matrix.asset_name }}${{ matrix.ext }} \
+            --device-key-alias ci-release-device \
+            --note "GitHub Actions release — ${{ github.ref_name }}" \
+            --repo /tmp/auths-identity
+
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.asset_name }}
           path: |
             ${{ matrix.asset_name }}${{ matrix.ext }}
             ${{ matrix.asset_name }}${{ matrix.ext }}.sha256
+            ${{ matrix.asset_name }}${{ matrix.ext }}.auths.json
 
   release:
     needs: build

crates/auths-cli/src/commands/status.rs

@@ -4,6 +4,7 @@ use crate::ux::format::{JsonResponse, Output, is_json_mode};
 use anyhow::{Result, anyhow};
 use auths_id::storage::attestation::AttestationSource;
 use auths_id::storage::identity::IdentityStorage;
+use auths_id::storage::layout;
 use auths_storage::git::{RegistryAttestationStorage, RegistryIdentityStorage};
 use chrono::{DateTime, Duration, Utc};
 use clap::Parser;
@@ -358,21 +359,9 @@ fn get_auths_dir() -> Result<PathBuf> {
     auths_core::paths::auths_home().map_err(|e| anyhow!(e))
 }
 
-/// Resolve the repository path from optional argument or default.
+/// Resolve the repository path from optional argument or default (~/.auths).
 fn resolve_repo_path(repo_arg: Option<PathBuf>) -> Result<PathBuf> {
-    match repo_arg {
-        Some(pathbuf) if !pathbuf.as_os_str().is_empty() => Ok(pathbuf),
-        _ => {
-            // Try current directory first
-            let cwd = std::env::current_dir()?;
-            if crate::factories::storage::discover_git_repo(&cwd).is_ok() {
-                Ok(cwd)
-            } else {
-                // Fall back to ~/.auths
-                get_auths_dir()
-            }
-        }
-    }
+    layout::resolve_repo_path(repo_arg).map_err(|e| anyhow!(e))
 }
 
 /// Check if a process with the given PID is running.

scripts/auths_workflows/artifact_signing.py

@@ -0,0 +1,280 @@
+#!/usr/bin/env python3
+"""
+Test the full release artifact signing workflow locally (macOS aarch64).
+
+Usage:
+    python scripts/auths_workflows/artifact_signing.py          # run the full workflow
+    python scripts/auths_workflows/artifact_signing.py --skip-build  # reuse existing build
+
+What it does:
+    1. Checks prerequisites (cargo, auths identity, device keys)
+    2. Builds release binaries (cargo build --release -p auths-cli)
+    3. Packages them into auths-macos-aarch64.tar.gz (same as CI)
+    4. Generates SHA256 checksum
+    5. Signs the artifact with `auths artifact sign`
+    6. Displays the .auths.json attestation
+    7. Verifies the attestation with `auths artifact verify`
+    8. Cleans up
+
+Requires:
+    - macOS aarch64
+    - cargo on PATH
+    - auths identity set up (`auths status` shows identity)
+    - At least one device key alias (`auths key list`)
+
+This mirrors the release.yml workflow so you can validate signing
+works before pushing a tag.
+"""
+
+import json
+import os
+import shutil
+import subprocess
+import sys
+import tempfile
+from pathlib import Path
+
+REPO_ROOT = Path(__file__).resolve().parents[2]
+TARGET = "aarch64-apple-darwin"
+ASSET_NAME = "auths-macos-aarch64"
+EXT = ".tar.gz"
+BINARIES = ["auths", "auths-sign", "auths-verify"]
+
+# ANSI colors
+GREEN = "\033[92m"
+YELLOW = "\033[93m"
+RED = "\033[91m"
+CYAN = "\033[96m"
+BOLD = "\033[1m"
+RESET = "\033[0m"
+
+
+def step(n: int, msg: str) -> None:
+    print(f"\n{BOLD}{CYAN}[Step {n}]{RESET} {BOLD}{msg}{RESET}")
+
+
+def ok(msg: str) -> None:
+    print(f"  {GREEN}✓{RESET} {msg}")
+
+
+def warn(msg: str) -> None:
+    print(f"  {YELLOW}⚠{RESET} {msg}")
+
+
+def fail(msg: str) -> None:
+    print(f"  {RED}✗{RESET} {msg}", file=sys.stderr)
+
+
+def run(cmd: list[str], **kwargs) -> subprocess.CompletedProcess:
+    """Run a command, print it, and return the result."""
+    display = " ".join(cmd)
+    print(f"  $ {display}", flush=True)
+    return subprocess.run(cmd, **kwargs)
+
+
+def run_checked(cmd: list[str], **kwargs) -> subprocess.CompletedProcess:
+    result = run(cmd, capture_output=True, text=True, **kwargs)
+    if result.returncode != 0:
+        fail(f"Command failed (exit {result.returncode})")
+        if result.stderr.strip():
+            print(f"    stderr: {result.stderr.strip()}")
+        sys.exit(1)
+    return result
+
+
+def main() -> None:
+    skip_build = "--skip-build" in sys.argv
+
+    print(f"{BOLD}{'='*60}{RESET}")
+    print(f"{BOLD}  Artifact Signing Workflow — Local Test{RESET}")
+    print(f"{BOLD}{'='*60}{RESET}")
+
+    # ── Step 1: Prerequisites ──
+    step(1, "Checking prerequisites")
+
+    if shutil.which("cargo") is None:
+        fail("cargo not found on PATH")
+        sys.exit(1)
+    ok("cargo found")
+
+    if shutil.which("auths") is None:
+        fail("auths not found on PATH. Run: cargo install --path crates/auths-cli")
+        sys.exit(1)
+    ok("auths found")
+
+    # Check identity exists
+    result = run_checked(["auths", "status"], cwd=REPO_ROOT)
+    if "not initialized" in result.stdout.lower():
+        fail("No auths identity found. Run: auths init")
+        sys.exit(1)
+    ok("auths identity exists")
+
+    print(f"\n  {CYAN}--- auths status ---{RESET}")
+    for line in result.stdout.strip().splitlines():
+        print(f"  {line}")
+
+    # Check device keys
+    key_result = run_checked(["auths", "key", "list"], cwd=REPO_ROOT)
+    if not key_result.stdout.strip():
+        fail("No device keys found. You need at least one key alias.")
+        sys.exit(1)
+    ok("device keys found")
+
+    print(f"\n  {CYAN}--- auths key list ---{RESET}")
+    for line in key_result.stdout.strip().splitlines():
+        print(f"  {line}")
+
+    # Ask user which device key alias to use
+    print()
+    device_alias = input(f"  {BOLD}Enter device-key-alias to use for signing:{RESET} ").strip()
+    if not device_alias:
+        fail("No alias provided.")
+        sys.exit(1)
+
+    # Optionally ask for identity key alias
+    identity_alias = input(
+        f"  {BOLD}Enter identity-key-alias (leave blank for device-only):{RESET} "
+    ).strip()
+
+    # ── Step 2: Build ──
+    work_dir = Path(tempfile.mkdtemp(prefix="auths-release-test-"))
+    print(f"\n  Working directory: {work_dir}")
+
+    if skip_build:
+        step(2, "Skipping build (--skip-build)")
+        # Verify binaries exist
+        for binary in BINARIES:
+            path = REPO_ROOT / "target" / "release" / binary
+            if not path.exists():
+                fail(f"Binary not found: {path}")
+                fail("Run without --skip-build first.")
+                shutil.rmtree(work_dir)
+                sys.exit(1)
+        ok("Existing release binaries found")
+    else:
+        step(2, "Building release binaries")
+        result = run(
+            ["cargo", "build", "--release", "--package", "auths-cli"],
+            cwd=REPO_ROOT,
+        )
+        if result.returncode != 0:
+            fail("Build failed")
+            shutil.rmtree(work_dir)
+            sys.exit(1)
+        ok("Build complete")
+
+    # ── Step 3: Package ──
+    step(3, "Packaging binaries into tarball")
+    staging = work_dir / "staging"
+    staging.mkdir()
+
+    for binary in BINARIES:
+        src = REPO_ROOT / "target" / "release" / binary
+        if src.exists():
+            shutil.copy2(src, staging / binary)
+            ok(f"Copied {binary}")
+        else:
+            warn(f"Binary not found: {binary} (skipped)")
+
+    tarball = work_dir / f"{ASSET_NAME}{EXT}"
+    run_checked(
+        ["tar", "-czf", str(tarball), "-C", str(staging), "."],
+    )
+    size_mb = tarball.stat().st_size / (1024 * 1024)
+    ok(f"Created {tarball.name} ({size_mb:.1f} MB)")
+
+    # ── Step 4: SHA256 checksum ──
+    step(4, "Generating SHA256 checksum")
+    checksum_file = work_dir / f"{ASSET_NAME}{EXT}.sha256"
+    result = run_checked(["shasum", "-a", "256", str(tarball)])
+    checksum_line = result.stdout.strip()
+    checksum_file.write_text(checksum_line + "\n")
+    ok(f"Checksum: {checksum_line.split()[0]}")
+
+    # ── Step 5: Sign artifact ──
+    step(5, "Signing artifact with auths")
+    sign_cmd = [
+        "auths", "artifact", "sign", str(tarball),
+        "--device-key-alias", device_alias,
+        "--note", "Local signing test",
+    ]
+    if identity_alias:
+        sign_cmd.extend(["--identity-key-alias", identity_alias])
+
+    result = run(sign_cmd, cwd=REPO_ROOT)
+    if result.returncode != 0:
+        fail("Artifact signing failed")
+        print(f"\n  Working directory preserved at: {work_dir}")
+        sys.exit(1)
+
+    attestation_file = Path(f"{tarball}.auths.json")
+    if not attestation_file.exists():
+        fail(f"Expected attestation file not found: {attestation_file}")
+        print(f"\n  Working directory preserved at: {work_dir}")
+        sys.exit(1)
+    ok(f"Created {attestation_file.name}")
+
+    # ── Step 6: Display attestation ──
+    step(6, "Attestation contents")
+    attestation_raw = attestation_file.read_text()
+    try:
+        attestation = json.loads(attestation_raw)
+        formatted = json.dumps(attestation, indent=2)
+        print(f"\n  {CYAN}--- {attestation_file.name} ---{RESET}")
+        for line in formatted.splitlines():
+            print(f"  {line}")
+    except json.JSONDecodeError:
+        print(f"  (raw): {attestation_raw[:500]}")
+
+    # ── Step 7: Verify attestation ──
+    step(7, "Verifying attestation")
+    result = run(
+        ["auths", "artifact", "verify", str(tarball)],
+        cwd=REPO_ROOT,
+        capture_output=True,
+        text=True,
+    )
+    if result.returncode == 0:
+        ok("Verification passed")
+        if result.stdout.strip():
+            for line in result.stdout.strip().splitlines():
+                print(f"  {line}")
+    else:
+        warn(f"Verification returned exit {result.returncode}")
+        if result.stdout.strip():
+            for line in result.stdout.strip().splitlines():
+                print(f"  {line}")
+        if result.stderr.strip():
+            for line in result.stderr.strip().splitlines():
+                print(f"  {line}")
+
+    # ── Step 8: Summary ──
+    step(8, "Cleanup and summary")
+    print(f"\n  {CYAN}Files produced:{RESET}")
+    for f in sorted(work_dir.iterdir()):
+        if f.is_file():
+            size = f.stat().st_size
+            print(f"    {f.name:50s} {size:>10,} bytes")
+    for f in [attestation_file]:
+        if f.exists() and f.parent != work_dir:
+            size = f.stat().st_size
+            print(f"    {f.name:50s} {size:>10,} bytes")
+
+    # Clean up
+    shutil.rmtree(work_dir)
+    if attestation_file.exists():
+        attestation_file.unlink()
+    ok("Cleaned up temp files")
+
+    print(f"\n{BOLD}{GREEN}{'='*60}{RESET}")
+    print(f"{BOLD}{GREEN}  Artifact signing workflow completed successfully!{RESET}")
+    print(f"{BOLD}{GREEN}{'='*60}{RESET}")
+    print(f"\n  This confirms the release.yml signing step will work in CI.")
+    print(f"  Make sure these GitHub secrets are set (via 'just ci-setup'):")
+    print(f"    • AUTHS_CI_PASSPHRASE")
+    print(f"    • AUTHS_CI_KEYCHAIN")
+    print(f"    • AUTHS_CI_IDENTITY_BUNDLE\n")
+
+
+if __name__ == "__main__":
+    main()