Skip to content

release: sign release artifacts and important version tags #204

Description

@TFT444

Goal

Provide cryptographically verifiable releases and important version tags for the OpenSSF Silver criteria tracked in #199.

Requirements

  • Select a reviewed signing model, such as keyless Sigstore attestations or separately protected signing keys
  • Build release artifacts and SHA-256 checksums from the reviewed tag
  • Sign or attest each distributed artifact and SBOM
  • Bind verification to the repository, workflow, commit, and signer identity
  • Publish copyable verification instructions
  • Verify uploaded artifacts in a separate CI step
  • Create future important tags as signed annotated tags, or document the approved equivalent

Safety

Signing authority and recovery ownership require project-lead approval. Existing lightweight tags must not be described as signed tags.

Completion

  • Signing model and ownership are approved
  • Release workflow produces verifiable artifacts
  • Public verification instructions are tested
  • One real release completes the process successfully
  • Silver evidence register links to the release evidence

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
🔨 In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions