scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard

Published 20 hours ago verified publisher icon ossf

Improve Score Reporting: Signed-Release and Packaging checks

Open azeemshaikh38 opened this issue 3 years ago • 1 comments

We do terribly on Signed-Releases and Packaging checks for ecosystems and projects which do not release on GitHub or using GitHub actions. Some ideas to improve here:

  • Look for git tags to check for releases and ensure that these tags are signed/verified.
  • Extending the above point, see if we can find associated release artifacts on package repositories.
  • Improve the packaging workflow list which we use to detect packaging in GH actions.

azeemshaikh38 avatar Aug 17 '22 01:08 azeemshaikh38

  • Look for git tags to check for releases and ensure that these tags are signed/verified.

Not clear this how much improvement this is. Tags are in the commit history. This is different from binaries stored in release assets (that can be altered without commit history changes) and / or registry packages.

  • Extending the above point, see if we can find associated release artifacts on package repositories.

this is covered in https://github.com/ossf/scorecard/issues/688

laurentsimon avatar Aug 22 '22 14:08 laurentsimon