tekton-robot
commented
1 year ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
lcarva
Created based on https://github.com/tektoncd/chains/pull/730#discussion_r1179481642
It is generally preferable to sign produced artifacts by the process which generated them in order to more clearly indicate the level of trust which can be associated. As Chains is becoming more capable to sign artifacts (images, SBOMs) which it doesn't produce, the considerations should be documented for users to take into account before enabling this functionality.
Having some signature is better than no signature, it would be preferable to leverage some process like keyless signing and spiffe/spire to enable signing within the pipeline of artifacts generated by the pipeline. If chains only signs the content which it produces (i.e. provenance), then its actions can be more clearly tied to a more trusted service within a build platform.