Open sunshowers opened 2 years ago
FYI, I'm working on supporting signing in upload-rust-binary-action, and here is a draft implementation of signing with PGP: https://github.com/taiki-e/upload-rust-binary-action/issues/40#issuecomment-1382745575
Thanks, this is awesome! Any plans to support Sigstore?
Sorry for the late reply, Sigstore has been included in the list since https://github.com/taiki-e/upload-rust-binary-action/issues/40 was first opened.
Do you have any concrete requests as to what format you want to sign, or what files you want to sign?
Thanks @taiki-e -- ideally the release task would run cosign sign-blob
using an identity from GitHub Actions: https://docs.sigstore.dev/cosign/signing_with_blobs. Then, the cosign.bundle
(appropriately named) would be uploaded along with the artifact. To verify the signature, users or automated tooling could download the cosign bundle and verify it that way.
It would also be great to work with @NobodyXu and the binstall folks to align on a strategy where binstall checks signatures.
(I think another option is to use OCI to store artifacts in addition to GitHub Releases: https://docs.sigstore.dev/cosign/signing_with_blobs/#blobs-in-oci-registries)
I wrote a comment on https://github.com/cargo-bins/cargo-binstall/issues/1 discussing this.
It would be really nice to have a way for us to sign nextest's binary releases to ensure they're authentic.