Open martinkuba opened 1 week ago
While Maven Central doesn't support sigstore/cosign like npm does, I did attempt to implement it for the java sdk repo: https://github.com/open-telemetry/opentelemetry-java/pull/6531
It would be nice if I could get validation for my approach from the Security SIG, or guidance on what I need to change.
The Collector is already signing released images using Sigstore. I think we want to do the same for language SDK releases in general.
I would like to start implementing this in the JavaScript SDK using the npm provenance feature, which is built-in to the npm package manager itself and makes it easy for users to verify how a published package was built.
I am looking for a guidance from the Security SIG on