ThomasVitale
commented
1 year ago More and more cloud native projects started adopting Sigstore for signing and verifying artefacts. It would be great if kapp-controller (but the same is true for all the other Carvel tools) would provide that integration. There's also a "Sigstore Landscape" in the OpenSSF with all the projects using Sigstore, one way or another.
Describe the problem/challenge you have As a consumer of packages, I want to have a way of verifying that the package was produced by a trusted party.
Describe the solution you'd like Not a clear solution right now.
Vote on this request
This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.
👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"
We are also happy to receive and review Pull Requests if you want to help working on this issue.