Sign sbom-tool releases

[nsmith5]

Would be nice to be able to verify that releases of sbom-tool are build by CI by using e.g sigstore to sign binaries

[Brend-Smits]

I was thinking the same. Would love to help here if possible.

[Dentrax]

It would also nice to generate provenance using slsa-provenance-action in CI. Should I create another issue for this?

[cmaclaughlin]

Do you mean have this tool sign the users' release (binaries/image) or that releases of this tool should signed as a part of the CI/CD process so users could validate they are installing the intended tool?

[cmaclaughlin]

It would also nice to generate provenance using slsa-provenance-action in CI. Should I create another issue for this?

Generating provenance in any format is & should be separate from signing, please create a separate issue.

[aasim]

Thanks for all your inputs, we are in the process of verifying some changes in our CI/CD pipeline, after which we will start publishing signed artifacts.

[nsmith5]

@cmaclaughlin to clarify: Releases of this tool should be signed

[aasim]

Hi all - we now have pushed a change that will publish signed artifacts for our releases. Please check out version 0.1.4

[Brend-Smits]

Hey @aasim, I checked the release assets included, but did not see any signatures. Am I missing something? How are the release assets signed? I tried finding a step in the CI/CD workflows, but couldn't find it. Happy to help sign the assets using Sigstore.

[Dentrax]

This issue just closed, but couldn't see any related PR that fixes this one. Or I'm missing something? 🤔

[ByAgenT]

Apologize for a little miscommunication. Right now only windows binary is signed and we're working on providing integrity validation for the rest of binaries and SBOM files. Release assets are going to be produced in the private pipeline from now on and will be signed by Microsoft certificates.

I'll keep this opened until we figure out signing process for unix binaries