Sign Notation CLI release assets with Notation GitHub Actions #973
Labels
Comments
yizha1
added
need investigation
need discussion
and removed
triage
|
This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days. |
|
This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem?
CNCF provides a tool Clomonitor to run OpenSSF Security Best Practice checks on CNCF projects. There is a signing related check that has not been passed in the security check items. See https://clomonitor.io/projects/cncf/notary#notation_security.
According to OpenSSF Scorecard signing check criteria, a
.sigfile should be generated in the Notation release assets so the signature could be detected by OpenSSF Scorecard check tool. To meet the OpenSSF security best practice, we need to sign the Notation CLI release assets.What solution do you propose?
Notation provides GitHub Actions for signing and verification that can be easily used in GitHub Actions Workflow and release process.
There are a few dependencies before implementing the signing flow in the release process, such as blob signing and timestamping which are working in progress. Retrieve signing key from GitHub infra as articulated in #905 might another dependency. It's recommended to sign Notation CLI release assets with Notation GitHub Actions after these dependencies are supported in upcoming releases.
What alternatives have you considered?
N/A
Any additional context?
N/A
The text was updated successfully, but these errors were encountered: