Rain

Thanks @lemmih. Happy to spend some time on this tomorrow. What would be a good way to coordinate our efforts?

For https://github.com/nextest-rs/nextest/issues/369, I had a look at https://docs.rs/sigstore/latest/sigstore/ and seems like it should be possible to: 1. create a signature bundle at release time using `cosign sign-blob`: https://docs.sigstore.dev/cosign/signing_with_blobs, including in...

More thoughts. 1. I believe that GitHub Releases is not a reliable place to store artifacts that can never be changed in the future. Is this correct? 2. Timestamps aren't...

> slightly aside one of the things i've been thinking about a bit is how annoyingly repetitive setting up gh actions CI is for rust tools A couple of existing...

> hmm, you can delete and re-upload artifacts, but so long as the signature is valid is it important that these are immutable? i think the risks one is attempting...

Ah sorry, NobodyXu doesn't work on upload-rust-binary-action. But it's part of the same general family of actions as https://github.com/taiki-e/install-action which they do work on, haha :)

> We could put the public key/checksum inside Cargo.toml since it is actually immutable and you can count on it. Interesting idea -- how would you do that? I guess...

Gotcha! So, hmm, I think just storing the public key doesn't quite solve the threat model that I outlined, because: assume that the private key is stored as an environment...

I believe https://github.com/tokio-rs/tokio/pull/6152 addresses this, in a way that still uses vfork.

No, sadly, I believe this is still blocked. I don't plan to work on this but you're welcome to pick it up if you like!