udf2457
commented
6 months ago Open udf2457 opened 6 months ago
udf2457
commented
6 months ago 
jpds
commented
5 months ago The Git tags now appear to be signed - so I think this can be closed.
kranurag7
commented
3 months ago Git Tags are now signed by GPG keys and I think the issue comment requests keyless signing of artifacts using cosign.
udf2457
commented
3 months ago What @kranurag7 said.
What use are signed git commits to me if I'm downloading artifacts.
You presently provide nothing with your artifacts. There is a sha256 file, but there's no signature to go with it, so you are not even providing the most basic of basics.
Meanwhile SLSA is the 2024 way to sign your artefacts, so if you're going to do something, you might as well do that instead of simply introducing signed sha256 files.
kranurag7
commented
3 months ago Thanks @udf2457, I'll look into fixing this using cosign in coming days.
On Mon, 15 Jul 2024, 23:56 udf2457, @.***> wrote:
What @kranurag7 https://github.com/kranurag7 said.
What use are signed git commits to me if I'm downloading artifacts.
You presently provide nothing with your artifacts. There is a sha256 file, but there's no signature to go with it, so you are not even providing the most basic of basics.
Meanwhile SLSA is the 2024 way to sign your artefacts, so if you're going to do something, you might as well do that instead of simply introducing signed sha256 files.
— Reply to this email directly, view it on GitHub https://github.com/prometheus/node_exporter/issues/3001#issuecomment-2229123785, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATLS4YPOH3FGRHX3HJ4KN3TZMQH33AVCNFSM6AAAAABGQXTLO6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRZGEZDGNZYGU . You are receiving this because you were mentioned.Message ID: @.***>
It is easier than ever to do in 2024! You can even do it fully-automated via Github Actions, Github OIDC and Sigstore "keyless" signing.