[arch-devops] Artifact signing
Kristian Klausen
kristian at klausen.dk
Sun Nov 14 22:16:41 UTC 2021
Hi all,
shibumi has been writing a few blog posts[1][2][3] on `cosign` recentely
and its "Keyless Signatures"[4] feature.
This motivated me to look into it for artifact signing from our CI[5],
in particular for arch-boxes (our VM images).
After discussing it on IRC (-devops), I'm sending this mail to get some
inputs.
I have opened a MR with a few solutions sketched[6] (with great help
from @shibumi).
[1] https://shibumi.dev/posts/first-look-into-cosign/
[2] https://shibumi.dev/posts/what-are-ephemeral-certificates/
[3] https://shibumi.dev/posts/keyless-signatures-with-github-actions/
[4] https://github.com/sigstore/cosign/blob/main/KEYLESS.md
[5] https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/280
[6] https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/508
Best regards,
Kristian Klausen
More information about the arch-devops
mailing list