spicedb icon indicating copy to clipboard operation
spicedb copied to clipboard

Published 20 hours ago verified publisher icon authzed

Code sign releases

Open jzelinskie opened this issue 3 years ago • 3 comments

We currently do not do any code signing.

It wouldn't be much work to adopt what's done in this thread (e.g. how in-toto signs releases), using cosign with goreleaser.

jzelinskie avatar Nov 13 '21 22:11 jzelinskie

Here's another post with more information on the cosign/goreleaser workflow: https://shibumi.dev/posts/keyless-signatures-with-github-actions/

jzelinskie avatar Nov 14 '21 22:11 jzelinskie

Here's some more posts on how to do it for our docker images:

  • https://chainguard.dev/posts/2021-12-01-zero-friction-keyless-signing
  • https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/

jzelinskie avatar Dec 15 '21 19:12 jzelinskie

An example repository using goreleaser: https://github.com/caarlos0-graveyard/gorel-keyless

jzelinskie avatar Dec 26 '21 22:12 jzelinskie