Sign jar artifacts with sigstore cosign on release

Open tylerbenson opened this issue 1 year ago • 1 comments

Store them in a zip file attached to the release.

Jun 20 '24 22:06 tylerbenson

this seems fine to me. Are we waiting for security folks to approve this approach, or should we get this merged for the next release?

Jun 26 '24 20:06 jkwatson

I'm going to close this for now until the tooling and maven central have better support for what we're trying to do.

Jul 11 '24 17:07 tylerbenson