-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sign Syft binary/container image via cosign #585
Comments
I love this! We'd love to start using sigstore to help with our own releases 🤩 |
Some questions...
|
Hello @luhring, there are several ways of proving the publisher's identity of the binary or container image via I don't know about the other stuff yet but @dlorenc maybe might want to help us related to the first and third questions, thanks in advance. |
|
@kzantow If I'm reading this issue right, it's not about Syft generating SBOM attestations, but rather about signing releases of Syft itself (in various form factors, e.g. the Syft binary having a signature, container images of Syft having signatures, etc.) |
@luhring yeah -- I definitely misread the description 🤦 |
What would you like to be added:
A tool called
cosign
1 created and maintained by thesigstore
2 community allows you to sign and verify container images. IINMSyft
takes its releases viaGoReleaser,
luckilycosign
is now integrated intoGoReleaser.
3. Btw, there is a similar topic ongoing for theossf/scorecard
project too.4Why is this needed:
Additional context:
cc: @luhring @wagoodman
Footnotes
https://github.com/sigstore/cosign ↩
https://sigstore.dev/ ↩
https://carlosbecker.com/posts/goreleaser-cosign/ ↩
https://github.com/ossf/scorecard/issues/309 ↩
The text was updated successfully, but these errors were encountered: