Feature request: Integrate with the Cosign project for arkade releases

[developer-guy]

Expected Behaviour>

verifiable arkade binaries

Current Behaviour

There is no support for signing and verifying arkade binaries.

Are you a GitHub Sponsor (Yes/No?)

Check at https://github.com/sponsors/alexellis

• [ ] Yes
• [x] No

Possible Solution

using cosign and GitHub Actions

https://chainguard.dev/posts/2021-12-01-zero-friction-keyless-signing https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/

Steps to Reproduce (for bugs)

1. 2. 3. 4.

Context

Your Environment

• What Kubernetes distribution are you using?

kubectl version

• Operating System and version (e.g. Linux, Windows, MacOS):

uname -a

cat /etc/os-release

• What arkade version is this?

arkade version

[alexellis]

Thanks for your suggestion.

Just like on #613 this proposal is missing context, use-cases and pros/cons.

Please take a few moments to add some meat to the bones here.

I know you're aware of the contribution guide, but please don't send a PR for either of these until they have approval and are marked as accepted.

[alexellis]

/set title: Feature request: Integrate with the Cosign project for arkade releases

[Shikachuu]

/add label: enhancement

[alexellis]

We still haven't had any of the requested information added by the requestor.

From looking at the links, this is for signing containers only, however cosign sign-blob may potentially be used to generate a signature for the binaries, which would then need to be uploaded to a registry.

I'll close for now due to lack of interest from community, but open to revisiting in the future.