-
-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign nextest's binary releases #369
Comments
FYI, I'm working on supporting signing in upload-rust-binary-action, and here is a draft implementation of signing with PGP: taiki-e/upload-rust-binary-action#40 (comment) |
Thanks, this is awesome! Any plans to support Sigstore? |
Sorry for the late reply, Sigstore has been included in the list since taiki-e/upload-rust-binary-action#40 was first opened. Do you have any concrete requests as to what format you want to sign, or what files you want to sign? |
Thanks @taiki-e -- ideally the release task would run It would also be great to work with @NobodyXu and the binstall folks to align on a strategy where binstall checks signatures. |
(I think another option is to use OCI to store artifacts in addition to GitHub Releases: https://docs.sigstore.dev/cosign/signing_with_blobs/#blobs-in-oci-registries) |
I wrote a comment on cargo-bins/cargo-binstall#1 discussing this. |
It would be really nice to have a way for us to sign nextest's binary releases to ensure they're authentic.
The text was updated successfully, but these errors were encountered: