arkade icon indicating copy to clipboard operation
arkade copied to clipboard

Published 20 hours ago verified publisher icon alexellis

Feature request: Prevent download of unsigned binaries from arkade get

Open developer-guy opened this issue 2 years ago • 3 comments

Expected Behaviour

Maybe we could provide an option as Docker did in its Content Trust feature (DOCKER_CONTENT_TRUST) variable to enable downloading binaries if the binary was signed, then verify it before downloading it.

Current Behaviour

Not supported

Are you a GitHub Sponsor (Yes/No?)

Check at https://github.com/sponsors/alexellis

  • [ ] Yes
  • [x] No

Possible Solution

We could use cosign for that too.

Steps to Reproduce (for bugs)

Context

Your Environment

  • What Kubernetes distribution are you using?
kubectl version
  • Operating System and version (e.g. Linux, Windows, MacOS):
uname -a

cat /etc/os-release
  • What arkade version is this?
arkade version

developer-guy avatar Jan 20 '22 10:01 developer-guy

This issue needs fleshing out with more context.

Why? What's the use-case?

Pros/Cons of adding and maintaining this solution

How you plan to determine for a given binary tool, whether "the binary was signed" etc.

alexellis avatar Jan 20 '22 10:01 alexellis

/set title: Feature request: Prevent download of unsigned binaries from arkade get

alexellis avatar Jan 20 '22 10:01 alexellis

/add label: enhancement

Shikachuu avatar Jan 26 '22 17:01 Shikachuu

Closing due to lack of interest from community.

alexellis avatar Jun 15 '23 08:06 alexellis