Sign release tags - Githubissues

buildpacks / pack

CLI for building apps using Cloud Native Buildpacks

https://buildpacks.io

Apache License 2.0

2.56k stars 286 forks source link

Sign release tags #2138

Open inglor opened 5 months ago

inglor commented 5 months ago

Description

Consider Signing tags of releases

Proposed solution

As the package maintainer of Arch Linux I would appreciate if you could help maintaining the chain of trust with PGP signatures on commits/tags. This can be handled from the Arch Linux build tools and can automatically validate PGP public key of the author of the commit/tag.

Tasks:

Sign commits and tags of releases
Mention the public keys used for signing the above in README or any other file within the repository so downstream systems can validate independently.
Add any new maintainers who can release on the above list

Describe alternatives you've considered

N/A

Additional context

N/A

jjbustamante commented 5 months ago

Hi @inglor, we've been discussing similar ideas in the past, there is an open RFC to integrate with Cosign. From this RFC, some new ideas came up, like the prepare operation:

initial RFC
some continuation RFC

We are happy to get some help, ideas or if you want to keep working on the previous RFCs will be great

jjbustamante commented 5 months ago

This is probably similar to or duplicating #268

inglor commented 5 months ago

I think you misunderstood the request. This is about signing with PGP key the release tag of this repository. No new feature request for pack itself :) just couldn't choose a category other than feature.

jjbustamante commented 5 months ago

Oh! sorry about that @inglor , then I think is similar or duplicating this one #934 :)

inglor commented 5 months ago

Yes - I'll move discussion there.

inglor commented 5 months ago

As per suggestion on https://github.com/buildpacks/pack/issues/934#issuecomment-2073618114 re-opening this.