Sign GitHub releases using cosign #3302

mowies · 2024-03-20T07:10:18Z

Goal

As a Keptn user, I want to be sure that the code I am downloading is actually the code that the maintainers released.

Details

Introduce some new steps in the release pipeline to use cosign to sign the release code archives for every release that happens.
This should be possible using cosign blob signing and attestation for the resulting files.

This should increase our security scores by OpenSSF.

DoD

github code releases are signed
signature and certificate are attached to each release going forward

mowies added the status: ready-for-refinement Issue is relevant for the next backlog refinment label Mar 20, 2024

mowies assigned rakshitgondwal Mar 20, 2024

keptn-bot added this to Keptn Lifecycle Toolkit Mar 20, 2024

mowies added enhancement New feature or request security labels Mar 20, 2024

odubajDT moved this to 🎟️ Refined in Keptn Lifecycle Toolkit Mar 20, 2024

odubajDT removed the status: ready-for-refinement Issue is relevant for the next backlog refinment label Mar 20, 2024

mowies added the status: in-progress label Apr 3, 2024

rakshitgondwal removed their assignment Jul 10, 2024

mowies added status: todo and removed status: in-progress labels Jul 15, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sign GitHub releases using cosign #3302

Sign GitHub releases using cosign #3302

mowies commented Mar 20, 2024 •

edited

Loading

Sign GitHub releases using cosign #3302

Sign GitHub releases using cosign #3302

Comments

mowies commented Mar 20, 2024 • edited Loading

Goal

Details

DoD

mowies commented Mar 20, 2024 •

edited

Loading