Implement checksum & artifact signing #1513
Comments
|
Goreleaser offers support for signing artifacts using Cosign, which provides two distinct methods for accomplishing this task: key-based signing and keyless signing. Key-based signing necessitates the maintenance of a key pair, whereas keyless signing does not. I would appreciate it if you could inform me of the preferred method favored by the maintainers. I am eager to submit a pull request accordingly. |
|
The keyless approach would be preferred here, especially since we're releasing from a github actions runner (leveraging OIDC tokens).
Shout out if you have more questions you feel we should answer before getting started but also feel free to jump in if you have enough info 🙌 We have our community meeting this thursday too as another option to chat about the details as well. In the meantime I'll assign the issue to you as a signal to others that it's in-flight work. |
|
I think I have enough info to get started, will open a PR in couple of days. I'll post here if there are any questions. |
|
Hey, we may want to implement SLSA Build Level 3 as it supports this pattern and is battle tested + fits the goreleaser process. |
|
@pandatix thanks so much for the references |
Will check it out |
What would you like to be added:
Implement artificats signing using cosign.
Why is this needed:
Grype currently publishes release binaries on its GitHub release page, and provides users with important software artifacts. But ensuring the authenticity and authenticity of these objects requires a more robust tool than simply relying on provided checksums This feature request proposes a solution that leverages the capabilities of Goreleaser , which Grype uses to create and release artifacts In order to increase the security and reliability of the release.
Additional context:
GoReleaser cosign integration
The text was updated successfully, but these errors were encountered: