nextest icon indicating copy to clipboard operation
nextest copied to clipboard
verified publisher icon nextest-rs

Sign nextest's binary releases

Open sunshowers opened this issue 3 years ago • 6 comments

It would be really nice to have a way for us to sign nextest's binary releases to ensure they're authentic.

sunshowers avatar Jul 18 '22 18:07 sunshowers

FYI, I'm working on supporting signing in upload-rust-binary-action, and here is a draft implementation of signing with PGP: https://github.com/taiki-e/upload-rust-binary-action/issues/40#issuecomment-1382745575

taiki-e avatar Jan 14 '23 14:01 taiki-e

Thanks, this is awesome! Any plans to support Sigstore?

sunshowers avatar Jan 15 '23 21:01 sunshowers

Sorry for the late reply, Sigstore has been included in the list since https://github.com/taiki-e/upload-rust-binary-action/issues/40 was first opened.

Do you have any concrete requests as to what format you want to sign, or what files you want to sign?

taiki-e avatar Aug 06 '23 14:08 taiki-e

Thanks @taiki-e -- ideally the release task would run cosign sign-blob using an identity from GitHub Actions: https://docs.sigstore.dev/cosign/signing_with_blobs. Then, the cosign.bundle (appropriately named) would be uploaded along with the artifact. To verify the signature, users or automated tooling could download the cosign bundle and verify it that way.

It would also be great to work with @NobodyXu and the binstall folks to align on a strategy where binstall checks signatures.

sunshowers avatar Aug 06 '23 19:08 sunshowers

(I think another option is to use OCI to store artifacts in addition to GitHub Releases: https://docs.sigstore.dev/cosign/signing_with_blobs/#blobs-in-oci-registries)

sunshowers avatar Aug 06 '23 19:08 sunshowers

I wrote a comment on https://github.com/cargo-bins/cargo-binstall/issues/1 discussing this.

sunshowers avatar Aug 06 '23 20:08 sunshowers