microsoft / component-detection

Scans your project to determine what components you use
MIT License
438 stars 91 forks source link

Sign Component Detection GitHub releases #653

Open melotic opened 1 year ago

melotic commented 1 year ago

In accordance with OpenSSF's recommendations, we should be cryptographically signing our GitHub releases with a GPG key.

We can perhaps use the cert from OneCert when we complete #652

JamieMagee commented 6 months ago

I'm not sure if GPG is necessary here. Something like sigstore or GitHub's new artifact attestations might be a more lightweight option.