You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Currently, aside from generating Sha-512 hashes, we don't have any implementation of binary signing, leaving people more vulnerable to supply-side attacks.
While we're a small group with a limited reach at the moment, it would pay off well to tackle it ahead of time.
Describe the solution you'd like
A consortium has come together to try and make open source signing easy and relatively decoupled from traditional Cert authorities in terms of verification.
While the implementation us fairly young, it looks pretty straightforward and related to the CI stuff I've been doing so far: https://sigstore.dev/
Describe alternatives you've considered
A previous implementation I had bookmarked SignPath Foundation, held a similar premise, but required projects to submit and application for approval, hewing closer to the traditional CA structure. https://signpath.org/
Additional context
I was made aware of this signing project by a former colleague of mine with a solid security mindset and a passion for cryptography and security that outstrips my own in leaps and bounds.
Is your feature request related to a problem? Please describe.
Currently, aside from generating Sha-512 hashes, we don't have any implementation of binary signing, leaving people more vulnerable to supply-side attacks.
While we're a small group with a limited reach at the moment, it would pay off well to tackle it ahead of time.
Describe the solution you'd like
A consortium has come together to try and make open source signing easy and relatively decoupled from traditional Cert authorities in terms of verification.
While the implementation us fairly young, it looks pretty straightforward and related to the CI stuff I've been doing so far:
https://sigstore.dev/
Describe alternatives you've considered
A previous implementation I had bookmarked SignPath Foundation, held a similar premise, but required projects to submit and application for approval, hewing closer to the traditional CA structure.
https://signpath.org/
Additional context
I was made aware of this signing project by a former colleague of mine with a solid security mindset and a passion for cryptography and security that outstrips my own in leaps and bounds.
They've implemented it experimentally on their own repo and seem very happy with the results:
https://github.com/MatthiasValvekens/pyHanko/blob/master/.github/workflows/release.yml
The text was updated successfully, but these errors were encountered: