Task Force Proposal: Security Artifact Signing

[tkuhrt]

Introduction/background material

At the January 19, 2023 TOC meeting, @lehors presented an overview of OpenSSF. One of the low hanging fruit that Hyperledger might implement to improve security is the use of SigStore for artifact signing.

Task to be completed

This task force will be focused on developing best practices and tooling for using SigStore for artifact signing.

List of deliverables or work products

• [ ] Best Practices for using SigStore for artifact signing consistently across Hyperledger projects

Time to complete (no more than 6 months)

TBD

Leader

Arun S M

Initial participant list

• Marcus Brandenburger
• Arnaud Le Hors
• Hart Montgomery
• Jim Zhang

[arsulegai]

Update from TOC meeting on Aug 17th, 2023:

• This was the first TOC meeting to kick-start the task force.
• Majority of the discussion leaned towards utilizing sigstore tool for signing the artifacts.
• The individual projects will experiment and share the learnings in upcoming task force meeting.