Sign the artifacts (binaries/images) using cosign #403
Labels
Comments
|
How does this benefit users of mage over the current published binaries on github and installations available through other systems, like homebrew? |
|
sorry for the delay @natefinch signing the image/binaries or even the checksums, will make the release a bit safer and downstream users can check if the signature matches with who signed and if the binary/image generated. homebrew does not check signatures right now, but maybe in the future. |
|
Signing is usually a good thing. I'm all for it, but it's not high on my list :) |
I can work on that if you don't mind |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature
The idea is to sign the release artifacts using cosign when doing the release.
The project is already using GoReleaser and GitHub actions and that makes things easier to implement 😃
I can help to implement this feature if the team decides to move this idea forward.
What problem does this feature address?
How does this benefit users of Mage?
This is an initial step for a more secure release and lets the consumers have the ability to verify the release artifacts.
Additional context
Using the current GoRelease config and we can create a GitHub Actions to make the release and we can sign the binaries/images using a keyless approach and push the signed artifacts all together to the GitHub release.
and thanks for this amazing project I use that in some projects :)
The text was updated successfully, but these errors were encountered: