Generate SLSA signature / provenance for your artifacts #272
Labels
enhancement
New feature or request
Milestone
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I'm reaching out on behalf of the Open Source Security Foundation (openssf.org), a project of the Linux Foundation. We work on improving the security of critical open source projects like yours.
Together with GitHub, we designed a free, easy-to-use method of code signing It will help your users verify that your release artifacts were built from your repository’s and not altered by anyone. It’s just a few lines of code, but it will make your project more secure against third-party tampering and attacks like attacks like Codecov and CTX.
You don’t have to be a cryptography expert or learn complicated tools and verification is simple for your users. There are examples here to integrate with GoReleaser, for example.
We have onboarded several projects already, including urllib3, flatbuffers and grpc-gateway.
It would be great to see your repository generate SLSA provenance as well!
The text was updated successfully, but these errors were encountered: