search

hyperledger-cacti / cacti

Hyperledger Cacti is a new approach to the blockchain interoperability problem
https://wiki.hyperledger.org/display/cactus
Apache License 2.0
345 stars 286 forks source link

ci(release): add sigstore npm integration through --provenance #2623

Open petermetz opened 1 year ago

petermetz commented 1 year ago

Description

As a user of the Cacti npm packages I want to see on npmjs.com that the cacti packages are signed so that I have a layer of extra security against supply chain attacks that I can leverage.

https://github.blog/2023-04-19-introducing-npm-package-provenance/ https://blog.sigstore.dev/npm-public-beta/

Acceptance Criteria

  1. The complete list of cacti packages that we are publishing are published with the additional --provenance option so that the signature appears publicly on the registries ( for example https://www.npmjs.com/package/@hyperledger/cactus-cmd-api-server )
  2. Release process is still fully automated (which is a work in progress task at the time of this writing but nevertheless...)
  3. Any changes to the release process should be documented
  4. We have to retain the ability to issue releases by multiple maintainers (so signing keys shouldn't be generated/distributed in a way that there's any single point of failure)
adrianbatuto commented 1 month ago

hi @jagpreetsinghsasan, I would like to work on this issue.