k8up icon indicating copy to clipboard operation
k8up copied to clipboard

Published 20 hours ago verified publisher icon k8up-io

Sign Releases with Cosign

Open tobru opened this issue 2 years ago • 0 comments

Summary

As K8up user I want to be sure I'm using an official and untampered release of K8up So that I'm sure that it's the original K8up I'm using.

Context

K8up releases should be signed in a way that the signature can be easily proved and properly checked against the project. This blog post has a very good idea how this could be achieved: https://shibumi.dev/posts/keyless-signatures-with-github-actions/

Out of Scope

  • GPG signing

Further links

  • https://shibumi.dev/posts/keyless-signatures-with-github-actions/
  • https://github.com/sigstore
  • https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/

Acceptance Criteria

No response

Implementation Ideas

Use keyless signatures with GitHub Actions

tobru avatar Nov 19 '21 08:11 tobru