Looking for advice on signing artifacts for Weaver / semantic conventions

[jsuereth]

The Semantic Conventions Tooling Working Group is looking for advice on signing artifacts.

Background.

Weaver is a templating tool we own that generates markdown documentation and code from semantic conventions. It is distributed as the following:

• Zipped binaries
• Executable (Windows)
• MSI (Windows)
• Docker container (primary usage)

You can find an asset list on the 0.4.0 Release

Weaver includes a command line interface that generates code, calculates statistics and allows interactive interaction with the repository to discover names/signals that can be generated.

Today, weaver artifacts are unsigned and, e.g., the windows distributions issue a security notice.

The distribution tooling we have has guidance on how to solve this: cargo-dist Signing and Attestation

Needs

We'd love guidance (ideally in the form of a How-to-Guide) on how to sign our artifacts. Particularly:

• An integration guide on recommended options from Otel Security SiG
• A mechanism to update Github Action workflows to sign all artifacts (ideally supported by cargo-dist).
• A shared set of keys that denote "This was built by open-telemetry automation" that is owned by security sig but we can leverage for signing artifacts we publish.

[jpkrohling]

While we don't have an official recommendation right now, we have implemented code signing for the Collector and are gathering learnings from that. It would be valuable to us if you could follow what we are doing with the Collector and share your experience.

@cpanato helped us implement the code signing there, perhaps he'd be able to help you with this as well.