component-detection icon indicating copy to clipboard operation
component-detection copied to clipboard
verified publisher icon microsoft

Sign Component Detection GitHub releases

Open melotic opened this issue 2 years ago • 1 comments

In accordance with OpenSSF's recommendations, we should be cryptographically signing our GitHub releases with a GPG key.

  • OpenSSF Guidance: https://github.com/ossf/scorecard/blob/4edb07802fdad892fa8d10f8fd47666b6ccc27c9/docs/checks.md#signed-releases
  • Doc on signing releases from debian: https://wiki.debian.org/Creating%20signed%20GitHub%20releases

We can perhaps use the cert from OneCert when we complete #652

melotic avatar Jul 12 '23 16:07 melotic

I'm not sure if GPG is necessary here. Something like sigstore or GitHub's new artifact attestations might be a more lightweight option.

JamieMagee avatar May 15 '24 18:05 JamieMagee