udf2457

Appreciate it, thanks @mholt . I tried to work through some of it, but even the commands as shown appear to be out of date, e.g. `cosign` in its present...

I think as I said @mohammed90 for post people, something to encourage them to do the equivalent of `gpg --verify` is not a bad thing. Already too many people don't...

Useful references: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator

What @kranurag7 said. What use are signed git commits to me if I'm downloading artifacts. You presently provide _nothing_ with your artifacts. There is a sha256 file, but there's no...

Some extra useful links: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator https://docs.sigstore.dev/signing/overview/

Thanks for the pointer, will take a look. I haven't reviewed it or tried it, but I do know from recently looking through their docs that smallstep use systemd service...

Any further consideration given to moving to goreleaser @serathius as mentioned in #13980 ? Adding provenance is a piece of cake with goreleaser. I'm not sure why your present `release.yml`...

Github [announced this](https://github.blog/changelog/2024-05-02-artifact-attestations-public-beta/) yesterday, so will need to compare it to the process originally linked to see if it makes it more straightforward to implement.

Hi @ArkaSaha30 I am currently focused on some high-priority $work projects, so your offer of assistance is much appreciated @ArkaSaha30 😉 Hopefully when things quiet down a little at $work...

@ianlewis I see you're now pulled SHA256SUM entirely, replacing with `intoto.jsonl` ? Is that your proposed solution to this issue ? If so, it might be good if you updated...