Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an option to gh release create for signing files attached to the release #9090

Open
sschuberth opened this issue May 16, 2024 · 2 comments
Open

Add an option to gh release create for signing files attached to the release #9090

sschuberth opened this issue May 16, 2024 · 2 comments
Labels
enhancement a request to improve CLI gh-attestation related to the gh attestation command gh-release relating to the gh release command

Comments

@sschuberth
Copy link

sschuberth commented May 16, 2024
edited

Describe the feature or problem you’d like to solve

In order to pass this OpenSSF Scorecard check, it would be great if any files passed to gh release create could optionally get cryptographically signed with a configurable key.

Proposed solution

Add a command line option to gh release create that takes a key file (and / or GitHub secret when running inside a GitHub action) to automatically sign any uploaded files and upload the respective signature files along with it.

Additional context

Maybe also the new gh attestation command could be extended instead to sign existing releases, making this a two-step-process of first creating the release and signing its artifacts. However, that would defeat the convenience purpose a bit to not run gpg manually for all artifacts, but let gh release create do all the work.
@sschuberth sschuberth added the enhancement a request to improve CLI label May 16, 2024
@cliAutomation cliAutomation added the needs-triage needs to be reviewed label May 16, 2024
@andyfeller
Copy link
Contributor

Thanks for opening up this suggestion, @sschuberth! ❤

While reading through this, I was also wondering whether the actions/attest-build-provenance action used for generating these release attestation artifacts might be leveraged for this concern. Given that this is only supported as a GitHub Action, I want to defer to my @cli/package-security colleagues to speak to potential concerns with generating and signing these attestations outside of GitHub Actions.

@andyfeller andyfeller added gh-release relating to the gh release command gh-attestation related to the gh attestation command and removed needs-triage needs to be reviewed labels May 16, 2024
@steiza
Copy link
Contributor

steiza commented May 16, 2024

Great question @sschuberth!

As it happens, we are planning on integrating artifact attestations with releases, after we take artifact attestations through public beta and into general availability. Thanks for the feedback, and stay tuned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement a request to improve CLI gh-attestation related to the gh attestation command gh-release relating to the gh release command
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@steiza @sschuberth @andyfeller @cliAutomation