tjorim
commented
10 months ago While the base image is correct, we currently don't sign the add-on yet (and we would need to use our own email address). I think we also need to adjust the GitHub actions.
Closed cociweb closed 3 months ago
tjorim
commented
10 months ago While the base image is correct, we currently don't sign the add-on yet (and we would need to use our own email address). I think we also need to adjust the GitHub actions.
tjorim
commented
10 months ago As far as I know they are also moving away from codenotary. They're now relying on cosign.
LukasGrebe
commented
10 months ago To complete the chain of trust we would also need to verify the ebusd image we use (I'm not sure if it even gets signed) and verify the base image.
cociweb
commented
10 months ago Well, the developer site is not mention cosign, so the recemmended (at least by docs) is the codenotary. (BTW, I've seen some cosign instruction in some further repos, but it has not been in the documentation set, yet. So maybe some background activity is on it's way about this question, but not officially.)
The related part is here, where the the base image can refer to the HA's. maybe the 'own mail' is not required or just notification is sent to a registered mail?? - I'm not really aware of the exact mechanism of the signing.
At this point, If you think, the PR/issue is unnecessary, than we can revoke it..
tjorim
commented
10 months ago I marked this as draft right now. Codenotary CAS (https://cas.codenotary.com/) has been down for a while now so we can not sign it at the moment. It will be replaced by cosign but it's not implemented yet (checked with some devs on the discord server).
LukasGrebe
commented
3 months ago closed as stale
Sign the add-on with CodeNotary. It addresses https://github.com/LukasGrebe/ha-addons/issues/83.