Use sigstore software transparency for releases #21524
Comments
|
Just saw this! sigstore maintainer here. We'd love to help out however we can! Feel free to reach out on the mailing list or directly to me. |
|
Thank you for the response! On our side, I think we first need to iron out the new (Guix-based) deterministic build process before 0.22 (#21145 for details). From there, we can figure out how best to integrate sigstore into the process. I mean, the alternative is to figure how to integrate this into the current (gitian based) build process but as we're moving away from that it doesn't seem worthwhile. |
|
Just revisiting this as sigstore is now a well funded project under the open source security foundation, how are things at present, happy to work with you as we have helped onboard a few communities now. |
The time has come? |
|
Does it offer any benefit over the existing workflow with guix attestations? See https://github.com/bitcoin-core/guix.sigs/ I presume every key and every attestation would have to be done twice and then uploaded to two different places? Or can sigstore just download and mirror the contents of the https://github.com/bitcoin-core/guix.sigs/ repo on its own? |
and others
Sigstore is an initiative by the Linux Foundation for software supply chain security. The goal is to be able to verify the origin of binaries as well as to ensure software transparency, so to be able to verify that you downloaded the same binary as everyone else. Of course we already sign our releases, but the latter seems important.
The implementation is under development and available as open source. However the system is not live yet (as of 2021-03-24, there is a public instance test server but they warn it will get wiped).
But I think as soon as it does go into production use, we should try to use it for our releases.
The text was updated successfully, but these errors were encountered: