Add signed source tar.gz release packages

opentofu / opentofu

OpenTofu lets you declaratively manage your cloud infrastructure.

https://opentofu.org

Mozilla Public License 2.0

23.26k stars 895 forks source link

Add signed source tar.gz release packages #2107

Open ehdis opened 2 weeks ago

ehdis commented 2 weeks ago

OpenTofu Version

All

The problem in your OpenTofu project

In addition to the compiled release packages, it would be great to have also signed source tar.gz archives (obviously not the dynamical generated).

Attempted Solutions

Every compiled release package can be integrity-checked/validated but not the sources!

Proposal

Extend the action workflow to build and sign also a source tarball.

References

No response

abstractionfactory commented 2 weeks ago

Hey @ehdis I believe this issue is a duplicate of #1679. Could you verify and upvote that issue if it is? Also, please feel free to comment on the need for signing on that issue.

ehdis commented 2 weeks ago

not necessarily. Before building the project code on a local system, its important to check the integrity of the sources of the actual project (this request). Dependencies can come from the OS (then already integrity-checked) or as self-contained vendor directory created locally under best-pratices to address supply-chain-security, but this is a separate issue. When the project includes a vendor directory by it self, then it should still offer a signed source package version.

abstractionfactory commented 2 weeks ago

Thanks @ehdis I queued this up for the core team to discuss.