Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate with sget #50

Open
wilsonehusin opened this issue Mar 30, 2022 · 2 comments
Open

Integrate with sget #50

wilsonehusin opened this issue Mar 30, 2022 · 2 comments

Comments

@wilsonehusin
Copy link
Member

Adolfo (@puerco) brought sigstore/sget to my attention that it might be the significant chunk we need out of cosign.

Their README claims:

curl | bash isn't a great idea, but sget | bash is less-bad.

So considering how currently we do (in Go) curl && shasum && tar, maybe see if we can leverage sget instead of curl && cosign && tar.

Related #15
@wilsonehusin
Copy link
Member Author

actually, let's keep this in one place in #15

@wilsonehusin
Copy link
Member Author

Looking at the roadmap, I think this issue is worth reopening.

  1. Support fetching from URLs sigstore/sget#11
  2. After this merges / has stable API, it might be worth proposing to Goreleaser to "publish with a convention that is sget-able", considering they publish their GitHub releases with keyless signatures using cosign.
  3. Consume sget to securely download releases!

@wilsonehusin wilsonehusin reopened this Apr 16, 2022
@wilsonehusin wilsonehusin changed the title Maybe consider integrating with sget Integrate with sget Apr 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wilsonehusin