Open melotic opened 1 year ago
In accordance with OpenSSF's recommendations, we should be cryptographically signing our GitHub releases with a GPG key.
We can perhaps use the cert from OneCert when we complete #652
I'm not sure if GPG is necessary here. Something like sigstore or GitHub's new artifact attestations might be a more lightweight option.
In accordance with OpenSSF's recommendations, we should be cryptographically signing our GitHub releases with a GPG key.
We can perhaps use the cert from OneCert when we complete #652