Goal
Provide cryptographically verifiable releases and important version tags for the OpenSSF Silver criteria tracked in #199.
Requirements
- Select a reviewed signing model, such as keyless Sigstore attestations or separately protected signing keys
- Build release artifacts and SHA-256 checksums from the reviewed tag
- Sign or attest each distributed artifact and SBOM
- Bind verification to the repository, workflow, commit, and signer identity
- Publish copyable verification instructions
- Verify uploaded artifacts in a separate CI step
- Create future important tags as signed annotated tags, or document the approved equivalent
Safety
Signing authority and recovery ownership require project-lead approval. Existing lightweight tags must not be described as signed tags.
Completion
Goal
Provide cryptographically verifiable releases and important version tags for the OpenSSF Silver criteria tracked in #199.
Requirements
Safety
Signing authority and recovery ownership require project-lead approval. Existing lightweight tags must not be described as signed tags.
Completion