another option for code signing that is interesting

37a3f115 · anarcat · 90823baf · 37a3f115
Verified Commit 37a3f115 authored 3 years ago by anarcat
--- a/howto/gitlab.md
+++ b/howto/gitlab.md
@@ -1199,6 +1199,28 @@ explicitly says:
 We do not currently have plans to get rid of OpenPGP internally, but
 it's still nice to have options.

+### Lorenc: sigstore
+
+[Dan Lorenc][], an engineer at Google, designed a tool that allows
+users to sign "artifacts". Typically, those are container images
+(e.g. [cosign](https://github.com/sigstore/cosign) is named so because it signs "containers"), but
+anything can be signed.
+
+It also works with a transparency log server called [rekor](https://github.com/sigstore/rekor). They
+run a public instance, but we could also run our own. It is currently
+unclear if we could have both, but it's apparently possible to run a
+"monitor" that would check the log for consistency.
+
+There's also a system for [signing binaries with ephemeral keys](https://shibumi.dev/posts/first-look-into-cosign/)
+which seems counter-intuitive but actually works nicely for CI jobs.
+
+Seems very promising, maintained by Google, RedHat, and supported by
+the Linux foundation. Complementary to [in-toto][] and [TUF][].
+
+[TUF]: https://theupdateframework.io/
+[in-toto]: https://github.com/in-toto/in-toto
+[Dan Lorenc]: https://github.com/dlorenc
+
 ### Other caveats

 Also note that git has limited security guarantees regarding