compose icon indicating copy to clipboard operation
compose copied to clipboard
verified publisher icon docker

Generate SLSA provenance for released binaries

Open laurentsimon opened this issue 3 years ago • 5 comments

Hi,

I'm reaching out on behalf of the Open Source Security Foundation (openssf.org). We work on improving the security of critical open source projects like yours.

Together with GitHub, we designed a free, easy-to-use method of code signing. It will help your users verify that your release binaries were built from your repository’s workflow and not altered by anyone. It’s just a few lines of code, but it will make your project more secure against third-party tampering and attacks like Codecov and CTX.

This PR shows how to add this seamless code signing to your workflow. You don’t have to be a cryptography expert or learn complicated tools and verification is simple for your users.

You can read more on the SLSA blog. Please reach out if you have any questions!

laurentsimon avatar Aug 01 '22 17:08 laurentsimon

friendly ping. Are there any question I could answer?

laurentsimon avatar Aug 09 '22 19:08 laurentsimon

Thanks @nicksieger !

laurentsimon avatar Aug 09 '22 19:08 laurentsimon

friendly ping for feedback.

laurentsimon avatar Aug 11 '22 23:08 laurentsimon

Hello @laurentsimon

Regarding the current exchanges in your buildx PR, we're discussing internally to give you a common response quickly. If that's fine for you, could we use the buildx PR for all the discussions?

glours avatar Aug 12 '22 20:08 glours

Hello @laurentsimon

Regarding the current exchanges in your buildx PR, we're discussing internally to give you a common response quickly. If that's fine for you, could we use the buildx PR for all the discussions?

Absolutely. SGTM. Happy to answer further questions if you have any.

laurentsimon avatar Aug 12 '22 20:08 laurentsimon