Open shenxianpeng opened 1 month ago
That last link was most helpful to me. I've never been too concerned about verifying "artifacts" that I download over the Internet.
Now that I have a better understanding of provenance attestation, my first thought was the static binaries we are distributing via clang-tools-pip use. This is where I'd start integrating proper attestation. Then we can use such attestation downstream in cpp-linter-action (or in clang-tools-pip itself)...
Pypi does not support any form of digital signing (that in aware of). Just last year, they dropped their support for PGP signatures.
To summarize your thoughts, we can at least start with this
maybe we do not need to verify attestation in cpp-linter-action because static binaries have verified in clang-tools-pip。
Digital signing seems to become a roadmap of Pypi https://github.com/pypi/warehouse/issues/15871
It looks like GitHub rolled out their own attestations in beta. I wonder if we could integrate with that. for more details below: