CNCF provides a tool Clomonitor to run OpenSSF Security Best Practice checks on CNCF projects. There is a signing related check that has not been passed in the security check items. See https://clomonitor.io/projects/cncf/notary#notation_security.
According to OpenSSF Scorecard signing check criteria, a .sig file should be generated in the Notation release assets so the signature could be detected by OpenSSF Scorecard check tool. To meet the OpenSSF security best practice, we need to sign the Notation CLI release assets.
What solution do you propose?
Notation provides GitHub Actions for signing and verification that can be easily used in GitHub Actions Workflow and release process.
There are a few dependencies before implementing the signing flow in the release process, such as blob signing and timestamping which are working in progress. Retrieve signing key from GitHub infra as articulated in #905 might another dependency. It's recommended to sign Notation CLI release assets with Notation GitHub Actions after these dependencies are supported in upcoming releases.
Is your feature request related to a problem?
CNCF provides a tool Clomonitor to run OpenSSF Security Best Practice checks on CNCF projects. There is a signing related check that has not been passed in the security check items. See https://clomonitor.io/projects/cncf/notary#notation_security.
According to OpenSSF Scorecard signing check criteria, a
.sigfile should be generated in the Notation release assets so the signature could be detected by OpenSSF Scorecard check tool. To meet the OpenSSF security best practice, we need to sign the Notation CLI release assets.What solution do you propose?
Notation provides GitHub Actions for signing and verification that can be easily used in GitHub Actions Workflow and release process.
There are a few dependencies before implementing the signing flow in the release process, such as blob signing and timestamping which are working in progress. Retrieve signing key from GitHub infra as articulated in #905 might another dependency. It's recommended to sign Notation CLI release assets with Notation GitHub Actions after these dependencies are supported in upcoming releases.
What alternatives have you considered?
N/A
Any additional context?
N/A