Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

signed releases #2777

Open
szuecs opened this issue Dec 5, 2023 · 0 comments
Open

signed releases #2777

szuecs opened this issue Dec 5, 2023 · 0 comments
Labels
github_actions Pull requests that update GitHub Actions code security

Comments

@szuecs
Copy link
Member

szuecs commented Dec 5, 2023

According to https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases we will get 8/10 if we would gpg sign release. We likely could put a gpg key in GH to sign release binaries.
But how do we get 10/10?
https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases says https://slsa.dev/get-started#slsa-3 is the way which leads to https://github.com/slsa-framework/slsa-github-generator and finally in Go you would use https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md .
Likely we ca migrate from Makefile build/release to "gorelease-style" slsa-github-generator .
Users can check with https://github.com/slsa-framework/slsa-verifier

Right now we have 0/10

@szuecs szuecs added security github_actions Pull requests that update GitHub Actions code labels Dec 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
github_actions Pull requests that update GitHub Actions code security
Projects
None yet
Development

No branches or pull requests

1 participant