ALRubinger
commented
11 months ago Not yet started in earnest. Some intro calls and backing thoughts as detailed in internal Supply Chain doc.
Closed ALRubinger closed 6 months ago
ALRubinger
commented
11 months ago Not yet started in earnest. Some intro calls and backing thoughts as detailed in internal Supply Chain doc.
ALRubinger
commented
6 months ago We'll drop this in favor of release signing, which we have and have plans to improve
Using signed commits and releases is crucial for supply chain security because it provides verifiable assurance that the code or release originates from a trusted source and has not been tampered with during transit. This cryptographic validation prevents malicious actors from introducing unauthorized changes or counterfeit software into the supply chain. In essence, signing serves as a digital "seal of authenticity" for software components, bolstering trust and integrity throughout the development and distribution process.
This is achieved through settings on the GitHub repositories. Determine the effective set of settings, and implement them across projects.