RFC: Signed RiffRaff Artifacts

[AshCorr]

What does this change?

In addition to a build.json file actions-riff-raff will also produce a sigstore-hashes.json file which lists all of the SHA256 file hashes of the files being uploaded to riff-raff.

sigstore-hashes.json is signed using Sigstore. This allows riff-raff to verify that the sigstore-hashes.json file has been created by a workflow in the Guardian organisation, and perhaps eventually that the repository uploading the artifact has access to the project being deployed to.

In the short term we can get riff-raff to add a warning to any builds that don't have a sigstore-hashes.json file and/or have files that have been tampered with, but eventually, once adoption is high enough, fail builds that don't have an attached sigstore-hashes.json file.

How to test

How can we measure success?

Have we considered potential risks?

Images

Accessibility

• Tested with screen reader
• Navigable with keyboard
• Colour contrast passed
• The change doesn't use only colour to convey meaning

[github-actions]

This PR is stale because it has been open 30 days with no activity. Unless a comment is added or the “stale” label removed, this will be closed in 3 days

[AshCorr]

not yet!

[github-actions]

This PR is stale because it has been open 30 days with no activity. Unless a comment is added or the “stale” label removed, this will be closed in 3 days

[github-actions]

This PR was closed because it has been stalled for 3 days with no activity.