Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

the Signed-Releases remediation steps encourage manual manipulation of the source code archives #4018

Open
junyer opened this issue Apr 9, 2024 · 0 comments
Open

the Signed-Releases remediation steps encourage manual manipulation of the source code archives #4018

junyer opened this issue Apr 9, 2024 · 0 comments
Labels
kind/bug Something isn't working

Comments

@junyer
Copy link

junyer commented Apr 9, 2024

scorecard/docs/checks.md

Lines 607 to 613 in b577d79

**Remediation steps**
- Publish the release.
- Generate a signing key.
- Download the release as an archive locally.
- Sign the release archive with this key (should output a signature file).
- Attach the signature file next to the release archive.
- If the source is hosted on GitHub, check out the steps [here](https://wiki.debian.org/Creating%20signed%20GitHub%20releases).

In light of CVE-2024-3094, could the Signed-Releases remediation steps not encourage manual manipulation of the source code archives? :P

FWIW, I filed this feature request for SLSA folks five months ago. Earlier today, I stopped waiting and wrote this workflow using Sigstore instead.
@junyer junyer added the kind/bug Something isn't working label Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
Scorecard - NEW
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@junyer