What should we do with the sigstore files? #53

ocelotl · 2024-07-08T16:38:36Z

I managed to use a github action to include the sigstore file in a release:

https://github.com/SecuringCarter/opentelemetry-python/releases/tag/6

Is this what we want to do with the sigstore files?

ocelotl · 2024-07-08T18:16:56Z

jpkrohling · 2024-07-11T13:45:25Z

Not quite: checking the Python docs, I would expect the sigstore file to be uncompressed under the released artifacts. Do you provide any archive with the artifacts being released? Or are those only the ones provided automatically by GitHub?

jpkrohling · 2024-07-11T13:57:15Z

I see now that you are signing only one file, opentelemetry-api/pyproject.toml. Would that be sufficient to reassure your users? Python itself is signed with sigstore as well, but they distribute a tgz file and sign that tgz.

jpkrohling self-assigned this Jul 9, 2024

jpkrohling added the code signing Items related to questions, best practices and recommendations around code signing label Jul 11, 2024

jpkrohling mentioned this issue Jul 16, 2024

Add recommendation about sigstore #54

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

What should we do with the sigstore files? #53

What should we do with the sigstore files? #53

ocelotl commented Jul 8, 2024

ocelotl commented Jul 8, 2024

jpkrohling commented Jul 11, 2024

jpkrohling commented Jul 11, 2024

What should we do with the sigstore files? #53

What should we do with the sigstore files? #53

Comments

ocelotl commented Jul 8, 2024

ocelotl commented Jul 8, 2024

jpkrohling commented Jul 11, 2024

jpkrohling commented Jul 11, 2024