Sign releases

[udf2457]

You can even do it fully-automated via Github Actions, Github OIDC and Sigstore "keyless" signing.

[lspgn]

Hello, Thank you for the suggestion but I don't understand what signing releases refer to here. Some information is missing. Is it the PGP ASC file for the downloads? Or do you refer to the Docker releases.

[udf2457]

Hi

As in https://github.com/netsampler/goflow2/releases

No signatures present (and not even a checksums file, but signatures are preferable to that)

So yes, I guess "PGP ASC file for the downloads" (or an alternative equivalent).

[udf2457]

Useful references: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator