Use GItHub attestations to check for signed releases #4080

edgarrmondragon · 2024-05-04T02:59:26Z

Is your feature request related to a problem? Please describe.

As seen in https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/.

Describe the solution you'd like

Check artifact signatures in a repo's https://github.com/<org>/<repo>/attestations URL.

Describe alternatives you've considered

Continue using the current Signed Releases check.

Additional context

The text was updated successfully, but these errors were encountered:

spencerschrock · 2024-05-06T15:44:37Z

This is on our radar. Some signals we may look for in a repo:

attestations: write permission
uses: actions/attest-build-provenance and checking the claimed subject-path against the release artifacts.

edgarrmondragon · 2024-05-12T04:50:18Z

fwiw actions/attest-build-provenance can produce an in-toto JSON file that can be uploaded to the release with a *.intoto.jsonl asset name, so this is already kinda supported.

(example in edgarrmondragon/citric#1132)

edgarrmondragon added the kind/enhancement New feature or request label May 4, 2024

spencerschrock added the check/Signed-Releases label May 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use GItHub attestations to check for signed releases #4080

Use GItHub attestations to check for signed releases #4080

edgarrmondragon commented May 4, 2024 •

edited

spencerschrock commented May 6, 2024

edgarrmondragon commented May 12, 2024 •

edited

Use GItHub attestations to check for signed releases #4080

Use GItHub attestations to check for signed releases #4080

Comments

edgarrmondragon commented May 4, 2024 • edited

spencerschrock commented May 6, 2024

edgarrmondragon commented May 12, 2024 • edited

edgarrmondragon commented May 4, 2024 •

edited

edgarrmondragon commented May 12, 2024 •

edited