Use "Project Sigstore" to sign software

[armijnhemel]

An increasing amount of projects is using "Project Sigstore" ( https://www.sigstore.dev/ ) to sign software releases. It might be worth looking into signing releases of Nix as well.

[SuperSandro2000]

What would we want to sign? The git tag? nix has no binary releases outside of the nix cache which has no gpg signing support. Maybe something we should consider adding.

I did also a quick read over the website and other than buzzwords like smart cryptography and bold claims like We use Cosign to generate the key pairs needed to sign and verify artifacts, automating as much as possible so there’s no risk of losing or leaking them.

After digging a few minutes through the documentation and trying it out locally because I couldn't find an answer, I hope I sufficiently enough understand it to answer my first question: basically this is a cloud hosted and managed gpg signing with a small wrapper around their oauth2 login service which mandates that everyone signs in with their GitHub, Google or Microsoft account. So this basically moves the trust entirely into the cloud service and liability of managing secrets securely to the cloud provider and me having to secure all the login methods and the email address used.

[armijnhemel]

What would we want to sign? The git tag? nix has no binary releases outside of the nix cache which has no gpg signing support. Maybe something we should consider adding.

The documentation of Project Sigstore says it is mainly used for signing software artifacts (for example, the tarballs of Nix tarballs) as well as Git commits. The industry at large is increasingly moving towards more signing and better provenance tracking. So this will come to NixOS at some point. Project Sigstore is one of the potential solutions.

[arianvp]

I'd imagine this would sign what nix signs today.

I.e. you'd store a Sigstore bundle in narinfo and the sigstore signature signs the NAR