[arch-devops] Artifact signing

Kristian Klausen kristian at klausen.dk
Sun Nov 14 22:16:41 UTC 2021

Hi all,

shibumi has been writing a few blog posts[1][2][3] on `cosign` recentely 
and its "Keyless Signatures"[4] feature.
This motivated me to look into it for artifact signing from our CI[5], 
in particular for arch-boxes (our VM images).

After discussing it on IRC (-devops), I'm sending this mail to get some 

I have opened a MR with a few solutions sketched[6] (with great help 
from @shibumi).

[1] https://shibumi.dev/posts/first-look-into-cosign/
[2] https://shibumi.dev/posts/what-are-ephemeral-certificates/
[3] https://shibumi.dev/posts/keyless-signatures-with-github-actions/
[4] https://github.com/sigstore/cosign/blob/main/KEYLESS.md
[5] https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/280
[6] https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/508

Best regards,
Kristian Klausen

More information about the arch-devops mailing list