I suggest that we use https://www.sigstore.dev/ since that's pretty much the defacto solution nowadays and doesn't require us managing GPG keys. Though, we might actually want to look at https://slsa.dev/ to help our users map built packages back to their canonical sources and dependencies.
One thing to verify is if we need to do both slsa and sigstore. SLSA describes the provenance (what entity built the artifact, what process they used, and what the inputs were). This enables verifying that an artifact was built as expected.
SLSA uses provenance to indicate whether an artifact is authentic or not, but provenance doesn’t do anything unless somebody inspects it. SLSA calls that inspection verification
https://slsa.dev/attestation-model#model-and-terminology also shows that the attestation contains the artifact sha256 checksum and the attestation is signed. This means that technically the attestation of provenance is the artifact signature. If the artifact sha256 was to change, then the signature would become invalid.
As part of the OpenSSF Best Practices badges, we must cryptographically sign our releases, which includes:
I suggest that we use https://www.sigstore.dev/ since that's pretty much the defacto solution nowadays and doesn't require us managing GPG keys. Though, we might actually want to look at https://slsa.dev/ to help our users map built packages back to their canonical sources and dependencies.
One thing to verify is if we need to do both slsa and sigstore. SLSA describes the provenance (what entity built the artifact, what process they used, and what the inputs were). This enables verifying that an artifact was built as expected.
From https://slsa.dev/spec/v1.0/verifying-artifacts:
https://slsa.dev/attestation-model#model-and-terminology also shows that the attestation contains the artifact sha256 checksum and the attestation is signed. This means that technically the attestation of provenance is the artifact signature. If the artifact sha256 was to change, then the signature would become invalid.
Requirements: