... | ... | @@ -1199,6 +1199,28 @@ explicitly says: |
|
|
We do not currently have plans to get rid of OpenPGP internally, but
|
|
|
it's still nice to have options.
|
|
|
|
|
|
### Lorenc: sigstore
|
|
|
|
|
|
[Dan Lorenc][], an engineer at Google, designed a tool that allows
|
|
|
users to sign "artifacts". Typically, those are container images
|
|
|
(e.g. [cosign](https://github.com/sigstore/cosign) is named so because it signs "containers"), but
|
|
|
anything can be signed.
|
|
|
|
|
|
It also works with a transparency log server called [rekor](https://github.com/sigstore/rekor). They
|
|
|
run a public instance, but we could also run our own. It is currently
|
|
|
unclear if we could have both, but it's apparently possible to run a
|
|
|
"monitor" that would check the log for consistency.
|
|
|
|
|
|
There's also a system for [signing binaries with ephemeral keys](https://shibumi.dev/posts/first-look-into-cosign/)
|
|
|
which seems counter-intuitive but actually works nicely for CI jobs.
|
|
|
|
|
|
Seems very promising, maintained by Google, RedHat, and supported by
|
|
|
the Linux foundation. Complementary to [in-toto][] and [TUF][].
|
|
|
|
|
|
[TUF]: https://theupdateframework.io/
|
|
|
[in-toto]: https://github.com/in-toto/in-toto
|
|
|
[Dan Lorenc]: https://github.com/dlorenc
|
|
|
|
|
|
### Other caveats
|
|
|
|
|
|
Also note that git has limited security guarantees regarding
|
... | ... | |