You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GitHub users need to be able to rely on constructed artifacts to be immutable after they’ve been built. This is something that has traditionally been seen as nearly impossible due to the fact that Releases (a GitHub feature) are tightly bound to tags (a Git feature) and Git tags are mutable. However, with the introduction of GitHub root certificate authority and Sigstore infrastructure we can create tamper-proof attestations that will associate a collection of artifacts with a specific release pURL, repo-of-origin, git tag, and SHA.
Intended Outcome
Users of GitHub releases will be able to verify that a given binary they have downloaded came from a particular GitHub Release.
How will it work?
Customers will be able to:
Use first party GitHub Actions to generate and sign a release attestation.
The release attestation will ensure that accompanying build provenance exists for each artifact in the release.
Store those attestations securely in the GitHub attestation store.
Download and verify attestations using the GitHub CLI.
The text was updated successfully, but these errors were encountered:
Summary
GitHub users need to be able to rely on constructed artifacts to be immutable after they’ve been built. This is something that has traditionally been seen as nearly impossible due to the fact that Releases (a GitHub feature) are tightly bound to tags (a Git feature) and Git tags are mutable. However, with the introduction of GitHub root certificate authority and Sigstore infrastructure we can create tamper-proof attestations that will associate a collection of artifacts with a specific release pURL, repo-of-origin, git tag, and SHA.
Intended Outcome
Users of GitHub releases will be able to verify that a given binary they have downloaded came from a particular GitHub Release.
How will it work?
Customers will be able to:
The text was updated successfully, but these errors were encountered: