Adopt sigstore to sign the artifacts #6149
Labels
Feature Request
Suggest an idea for this project
Comments
|
I'm happy to review contributions by someone else to add this. We are very limited in staffing at the moment and I'm reluctant to add additional review burden by contributing this myself, but I'm glad to review someone else's work. |
|
We’re planning on scheduling some time here in the next month or so. Will follow up with you then @jack-berg |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
We (@open-telemetry/sig-security-maintainers) are evaluating adopting sigstore (including cosign) for signing our artifacts, including the Collector binaries and container images.
I believe you are also signing your artifacts, and I wonder if you'd be willing to consider switching to sigstore, so that we have a project-wide, consistent way to sign our deliverables.
Here's a doc on how it can be used with Gradle, but we'd be more than happy to have a joint call to address questions you may have: https://github.com/sigstore/sigstore-java/tree/main/sigstore-gradle
The text was updated successfully, but these errors were encountered: