search

nextest-rs / nextest

A next-generation test runner for Rust.
https://nexte.st
Apache License 2.0
2.11k stars 92 forks source link

Sign nextest's binary releases #369

Open sunshowers opened 2 years ago

sunshowers commented 2 years ago

It would be really nice to have a way for us to sign nextest's binary releases to ensure they're authentic.

taiki-e commented 1 year ago

FYI, I'm working on supporting signing in upload-rust-binary-action, and here is a draft implementation of signing with PGP: https://github.com/taiki-e/upload-rust-binary-action/issues/40#issuecomment-1382745575

sunshowers commented 1 year ago

Thanks, this is awesome! Any plans to support Sigstore?

taiki-e commented 1 year ago

Sorry for the late reply, Sigstore has been included in the list since https://github.com/taiki-e/upload-rust-binary-action/issues/40 was first opened.

Do you have any concrete requests as to what format you want to sign, or what files you want to sign?

sunshowers commented 1 year ago

Thanks @taiki-e -- ideally the release task would run cosign sign-blob using an identity from GitHub Actions: https://docs.sigstore.dev/cosign/signing_with_blobs. Then, the cosign.bundle (appropriately named) would be uploaded along with the artifact. To verify the signature, users or automated tooling could download the cosign bundle and verify it that way.

It would also be great to work with @NobodyXu and the binstall folks to align on a strategy where binstall checks signatures.

sunshowers commented 1 year ago

(I think another option is to use OCI to store artifacts in addition to GitHub Releases: https://docs.sigstore.dev/cosign/signing_with_blobs/#blobs-in-oci-registries)

sunshowers commented 1 year ago

I wrote a comment on https://github.com/cargo-bins/cargo-binstall/issues/1 discussing this.