Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create GitHub Artifact Attestations in the release of aqua #3117

Closed
suzuki-shunsuke opened this issue Sep 23, 2024 · 1 comment
Closed

Create GitHub Artifact Attestations in the release of aqua #3117

suzuki-shunsuke opened this issue Sep 23, 2024 · 1 comment
Labels
enhancement New feature or request
Milestone
v2.35.0

Comments

@suzuki-shunsuke
Copy link
Member

Feature Overview

Create GitHub Artifact Attestations in the release of aqua.

Why is the feature needed?

To install aqua securely.

Workaround

We have already signed checksum files using Cosign and have generates SLSA Provenance using slsa-github-generator.

e.g. https://github.com/aquaproj/aqua/releases/tag/v2.34.0

So users can install aqua securely using Cosign and slsa-verifier.

https://github.com/slsa-framework/slsa-verifier

And aqua update-aqua and aqua-installer have already used them.

https://github.com/aquaproj/aqua-installer

But GitHub Artifact Attestations still has some benefits.

  • The verification command is simpler than Cosign and slsa-verifier
  • You don't need to know about Cosign and slsa-verifier
  • You don't need to install Cosign and slsa-verifier
  • GitHub Artifact Attestations is GitHub's official feature and has the potential to spread

Example Code

No response

Note

slsa-github-generator and GoReleaser don't support GitHub Artifact Attestations natively, but they have issues about it.

I think we may create GitHub Artifact Attestations using GitHub CLI in CI easily.
@suzuki-shunsuke suzuki-shunsuke added the enhancement New feature or request label Sep 23, 2024
This was referenced Sep 23, 2024
Closed
Closed
@suzuki-shunsuke
Copy link
Member Author

As of v2.35.0, GitHub Artifact Attestation would be created.

@suzuki-shunsuke suzuki-shunsuke added this to the v2.35.0 milestone Sep 26, 2024
@suzuki-shunsuke suzuki-shunsuke mentioned this issue Sep 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.35.0
Development

No branches or pull requests
1 participant
@suzuki-shunsuke