Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Please sign your releases #3001

Open
udf2457 opened this issue Apr 20, 2024 · 5 comments
Open

Feature request: Please sign your releases #3001

udf2457 opened this issue Apr 20, 2024 · 5 comments

Comments

@udf2457
Copy link

udf2457 commented Apr 20, 2024

It is easier than ever to do in 2024! You can even do it fully-automated via Github Actions, Github OIDC and Sigstore "keyless" signing.

@jpds
Copy link
Contributor

jpds commented May 25, 2024

The Git tags now appear to be signed - so I think this can be closed.

@kranurag7
Copy link

Git Tags are now signed by GPG keys and I think the issue comment requests keyless signing of artifacts using cosign.

@udf2457
Copy link
Author

udf2457 commented Jul 15, 2024

What @kranurag7 said.

What use are signed git commits to me if I'm downloading artifacts.

You presently provide nothing with your artifacts. There is a sha256 file, but there's no signature to go with it, so you are not even providing the most basic of basics.

Meanwhile SLSA is the 2024 way to sign your artefacts, so if you're going to do something, you might as well do that instead of simply introducing signed sha256 files.

@kranurag7
Copy link

kranurag7 commented Jul 15, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants