Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign release tags #2138

Open
inglor opened this issue Apr 19, 2024 · 6 comments
Open

Sign release tags #2138

inglor opened this issue Apr 19, 2024 · 6 comments
Labels
status/ready Issue ready to be worked on. type/chore Issue that requests non-user facing changes.

Comments

@inglor
Copy link

inglor commented Apr 19, 2024

Description

Consider Signing tags of releases

Proposed solution

As the package maintainer of Arch Linux I would appreciate if you could help maintaining the chain of trust with PGP signatures on commits/tags. This can be handled from the Arch Linux build tools and can automatically validate PGP public key of the author of the commit/tag.

Tasks:

  • Sign commits and tags of releases
  • Mention the public keys used for signing the above in README or any other file within the repository so downstream systems can validate independently.
  • Add any new maintainers who can release on the above list

Describe alternatives you've considered

N/A

Additional context

N/A
@inglor inglor added status/triage Issue or PR that requires contributor attention. type/enhancement Issue that requests a new feature or improvement. labels Apr 19, 2024
@jjbustamante
Copy link
Member

Hi @inglor, we've been discussing similar ideas in the past, there is an open RFC to integrate with Cosign. From this RFC, some new ideas came up, like the prepare operation:

  • initial RFC
  • some continuation RFC

We are happy to get some help, ideas or if you want to keep working on the previous RFCs will be great

@jjbustamante jjbustamante added status/requires-rfc Issue or PR that requires an RFC to be filed. and removed status/triage Issue or PR that requires contributor attention. labels Apr 19, 2024
@jjbustamante
Copy link
Member

jjbustamante commented Apr 19, 2024
edited
Loading

This is probably similar to or duplicating #268

@inglor
Copy link
Author

inglor commented Apr 20, 2024

I think you misunderstood the request. This is about signing with PGP key the release tag of this repository. No new feature request for pack itself :) just couldn't choose a category other than feature.

@jjbustamante
Copy link
Member

Oh! sorry about that @inglor , then I think is similar or duplicating this one #934 :)

@jjbustamante jjbustamante added status/ready Issue ready to be worked on. type/chore Issue that requests non-user facing changes. and removed status/requires-rfc Issue or PR that requires an RFC to be filed. type/enhancement Issue that requests a new feature or improvement. labels Apr 22, 2024
@inglor
Copy link
Author

inglor commented Apr 22, 2024

Yes - I'll move discussion there.

@inglor inglor closed this as completed Apr 22, 2024
@inglor inglor mentioned this issue Apr 22, 2024
Open
@inglor
Copy link
Author

inglor commented Apr 24, 2024

As per suggestion on #934 (comment) re-opening this.

@inglor inglor reopened this Apr 24, 2024
@natalieparellano natalieparellano changed the title Consider signing tags of releases Sign release tags Jul 1, 2024
@natalieparellano natalieparellano mentioned this issue Jul 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/ready Issue ready to be worked on. type/chore Issue that requests non-user facing changes.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@inglor @jjbustamante