feat(B-0853): sigstore/cosign artifact signing — free-stuff coverage for ISO + containers + tarballs + Nix substitutes (Aaron 2026-05-27)#5404
Merged
AceHack merged 1 commit intoMay 27, 2026
Conversation
…for ISO + containers + tarballs + Nix substitutes (Aaron 2026-05-27) Operator authorized free-stuff signing substrate after asking about Let's Encrypt (LE explicitly out-of-scope for code signing). Aaron: "this sounds good and i can pay those costs for the propritary oses when we need please start on the free stuff and backlog it." Scope: - IN: containers (cosign keyless via GitHub OIDC + Fulcio + Rekor), ISO blob signing, tarball signing, Nix substitute signing, install-path verification, SLSA attestations - OUT (deferred, Aaron-funded when load-bearing): Windows Authenticode (commercial CA $200-700/yr), macOS notarization ($99/yr Apple Dev), EV code signing ($400-1000/yr) Sub-rows B-0853.1-8 enumerated; Phase 1 = container path (smallest end-to-end slice; cosign + GitHub OIDC + Rekor verify round-trip). Outreach channel per Aaron: Aaron / Addison / Max available for any future form-filling (SignPath Foundation OSS app, Apple Dev enrollment, commercial CA EV liaison). Sigstore needs zero outreach. Composes with B-0843 artifact attestation, B-0850 cluster substrate, B-0831 CI cascade 6, B-0852 cred persistence (per-AI identity binding), B-0830 deferred release-attach. Per NCI HC-8: keyless OIDC defeats single-key-loss failure mode; NixOS substituter key remains operator-controlled where load-bearing.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
AceHack
deleted the
backlog/b-0853-sigstore-cosign-artifact-signing-2026-05-27
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Composes with
Outreach channel (Aaron 2026-05-27)
Aaron / Addison / Max available for future form-filling: SignPath Foundation OSS app, Apple Developer Program enrollment, commercial CA EV liaison. Sigstore needs zero outreach (open community substrate).
Sub-rows enumerated
B-0853.1-8 in row body. Order: container path (1→2) → ISO + install verify (3→5) → Nix substituter (4) → cluster verify + SLSA (6→7) → substrate landing (8).
NCI floor preserved
Per .claude/rules/non-coercion-invariant.md HC-8: keyless OIDC model defeats single-key-loss failure mode; identity binding at OIDC issuer + Fulcio CA root scope. NixOS substituter key stays operator-controlled where operator-must-own.
Test plan
🤖 Generated with Claude Code