Thomas Neidhart

I have now something that works for me, but compared to the generic builder (which I used before), this feels like an inferior solution to me atm. Also looking at...

I should have made myself more clear. I did not mean say that jreleaser is inferior but rather compare the generic vs the byob approach. Before that I used the...

thanks for the explanations,these differences and its implications where not obvious to me when reading up on the latest SLSA version. It would be great to have a chat about...

We have a script to download and verify the artifact (mainly for our own purposes to ease deployment) that works reasonably well. However, this is customized for this artifact, and...

@laurentsimon I send you a message in the openssf slack

Dependabot PRs like that should also be handled imho: ``` Bump the quarkus group with 1 update https://github.com/dependabot (#271) ```

Let me know if there is any interest in integrating this PR so I can work on another one wrt timestamping of signed jars. Otherwise there is no point ofc.

I added a test case, but while doing so I found a roadblock that I was not aware of before. The test case captures a case that does not pass...

I will look into ways to support writing the extra field as well. Also on a second thought, there should be a mechanism to indicate if the data entry has...

The documentation link in the error states that: You can only notarize apps that you sign with a Developer ID certificate. If you use any other certificate — like a...