New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

signed releases #2777

Open

szuecs opened this issue Dec 5, 2023 · 0 comments

Labels

github_actions security

Member

szuecs commented Dec 5, 2023 •

edited

According to https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases we will get 8/10 if we would gpg sign release. We likely could put a gpg key in GH to sign release binaries.
But how do we get 10/10?
https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases says https://slsa.dev/get-started#slsa-3 is the way which leads to https://github.com/slsa-framework/slsa-github-generator and finally in Go you would use https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md .
Likely we ca migrate from Makefile build/release to "gorelease-style" slsa-github-generator .
Users can check with https://github.com/slsa-framework/slsa-verifier

Right now we have 0/10

The text was updated successfully, but these errors were encountered:

szuecs added security github_actions labels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment