Feature request: Please sign your releases #3001
Comments
|
The Git tags now appear to be signed - so I think this can be closed. |
|
Git Tags are now signed by GPG keys and I think the issue comment requests keyless signing of artifacts using cosign. |
|
What @kranurag7 said. What use are signed git commits to me if I'm downloading artifacts. You presently provide nothing with your artifacts. There is a sha256 file, but there's no signature to go with it, so you are not even providing the most basic of basics. Meanwhile SLSA is the 2024 way to sign your artefacts, so if you're going to do something, you might as well do that instead of simply introducing signed sha256 files. |
|
Thanks @udf2457, I'll look into fixing this using cosign in coming days.
…On Mon, 15 Jul 2024, 23:56 udf2457, ***@***.***> wrote:
What @kranurag7 <https://github.com/kranurag7> said.
What use are signed git commits to me if I'm downloading artifacts.
You presently provide *nothing* with your artifacts. There is a sha256
file, but there's no signature to go with it, so you are not even providing
the most basic of basics.
Meanwhile SLSA is the 2024 way to sign your artefacts, so if you're going
to do something, you might as well do that instead of simply introducing
signed sha256 files.
—
Reply to this email directly, view it on GitHub
<#3001 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ATLS4YPOH3FGRHX3HJ4KN3TZMQH33AVCNFSM6AAAAABGQXTLO6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRZGEZDGNZYGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is easier than ever to do in 2024! You can even do it fully-automated via Github Actions, Github OIDC and Sigstore "keyless" signing.
The text was updated successfully, but these errors were encountered: