goflow2 icon indicating copy to clipboard operation
goflow2 copied to clipboard

Published 20 hours ago verified publisher icon netsampler

Sign releases

Open udf2457 opened this issue 1 year ago • 3 comments
trafficstars

You can even do it fully-automated via Github Actions, Github OIDC and Sigstore "keyless" signing.

udf2457 avatar Apr 21 '24 11:04 udf2457

Hello, Thank you for the suggestion but I don't understand what signing releases refer to here. Some information is missing. Is it the PGP ASC file for the downloads? Or do you refer to the Docker releases.

lspgn avatar Apr 21 '24 17:04 lspgn

Hi

As in https://github.com/netsampler/goflow2/releases

No signatures present (and not even a checksums file, but signatures are preferable to that)

So yes, I guess "PGP ASC file for the downloads" (or an alternative equivalent).

udf2457 avatar Apr 21 '24 17:04 udf2457

Useful references: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator

udf2457 avatar Apr 23 '24 12:04 udf2457