gaia icon indicating copy to clipboard operation
gaia copied to clipboard

Published 20 hours ago verified publisher icon cosmos

build: sign build artificats using Github Actions

Open odeke-em opened this issue 2 years ago • 2 comments

Summary

From a security assessment that we engaged in with Chainguard for the Cosmos ecosystem to aid in supply chain security, they noticed that build artifacts weren't signed and this means that we don't have reproducible builds

Use GitHub Actions to sign artifacts produced in the builds. Link to GitHub Actions signing: https://github.blog/2022-04-07-slsa-3-compliance-with-github-actions/

Just an FYI for my colleagues at Orijtech Inc @willpoint @elias-orijtech @kirbyquerby

For Admin Use

  • [x] Not duplicate issue
  • [ ] Appropriate labels applied
  • [ ] Appropriate contributors tagged
  • [ ] Contributor assigned/self-assigned
  • [x] Is a spike necessary to map out how the issue should be approached?

odeke-em avatar Jul 30 '22 01:07 odeke-em

@MSalopek This was solved by goreleaser, right?

mpoke avatar Aug 31 '23 08:08 mpoke

@mpoke I don't think it is. This is about creating some unforgeable metadata and signing it. We just use checksums obtained from goreleaser build process

MSalopek avatar Sep 14 '23 14:09 MSalopek

Closing as low priority

mpoke avatar Apr 04 '24 13:04 mpoke