Please sign packages or provide other means to verify binary integrity #68
Comments
berlincount
changed the title
|
The release process is typically only run from dev (e.g. my) machines, so there's no natural place (i.e. shipit) for credentials to live. If anyone (e.g. you) wants to take a run at it, it shouldn't be terribly hard to build a shipit-ified release process with signing. It's not high on my priority list though: I'm not likely to get to it soon. |
|
We use goreleaser now. https://github.com/shopify/hansel uses sigstore, we could copy that pattern. GitHub's new attestations are pretty great - we should use them! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
No description provided.
The text was updated successfully, but these errors were encountered: