Closed cociweb closed 3 months ago
While the base image is correct, we currently don't sign the add-on yet (and we would need to use our own email address). I think we also need to adjust the GitHub actions.
As far as I know they are also moving away from codenotary. They're now relying on cosign.
To complete the chain of trust we would also need to verify the ebusd image we use (I'm not sure if it even gets signed) and verify the base image.
Well, the developer site is not mention cosign, so the recemmended (at least by docs) is the codenotary. (BTW, I've seen some cosign instruction in some further repos, but it has not been in the documentation set, yet. So maybe some background activity is on it's way about this question, but not officially.)
The related part is here, where the the base image can refer to the HA's. maybe the 'own mail' is not required or just notification is sent to a registered mail?? - I'm not really aware of the exact mechanism of the signing.
At this point, If you think, the PR/issue is unnecessary, than we can revoke it..
I marked this as draft right now. Codenotary CAS (https://cas.codenotary.com/) has been down for a while now so we can not sign it at the moment. It will be replaced by cosign but it's not implemented yet (checked with some devs on the discord server).
closed as stale
Sign the add-on with CodeNotary. It addresses https://github.com/LukasGrebe/ha-addons/issues/83.