search

samhclark / custom-silverblue

Following Jorge Castro's lead and making my own spin on Silverblue
0 stars 1 forks source link

Sign resulting images with Cosign #3

Closed samhclark closed 2 months ago

samhclark commented 2 months ago

There are two options that I need to explore and consider the threat model for.

  1. Generate my own Cosign private key and store it as a secret in GitHub Actions. Check the public key into the repository.
  2. Use the OIDC integration with GitHub Actions to sign it with a key bound to my identity. No secrets in GHA, but maybe more complicated key distribution and setup? Maybe harder if I ever change my username or have others collaborate on this repo?
samhclark commented 2 months ago

Oops. #4 not #3

samhclark commented 2 months ago

Closed by #5