npm icon indicating copy to clipboard operation
npm copied to clipboard
verified publisher icon semantic-release

Sign published packages with sigstore

Open JamieMagee opened this issue 3 years ago • 1 comments

There's currently an RFC open on improving the npm ecosystem's security by signing packages using sigstore. I'd like to suggest that semantic-release opt into this functionality whenever npm finalizes their implementation.

Sources:

  • https://github.blog/2022-08-08-new-request-for-comments-on-improving-npm-security-with-sigstore-is-now-open/
  • https://github.com/npm/rfcs/pull/626
  • https://github.com/sigstore/sigstore-js

JamieMagee avatar Aug 12 '22 06:08 JamieMagee

Thanks for starting this thread. We are already watching the proposal closely and intend to embrace it. Please don't hesitate to capture more details here about how semantic-release needs to adjust as they become more clear.

travi avatar Aug 12 '22 13:08 travi