Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

the Signed-Releases remediation steps encourage manual manipulation of the source code archives #4018

Open
junyer opened this issue Apr 9, 2024 · 1 comment
Open

the Signed-Releases remediation steps encourage manual manipulation of the source code archives #4018

junyer opened this issue Apr 9, 2024 · 1 comment
Labels
check/Signed-Releases kind/docs Improvements or additions to documentation Stale

Comments

@junyer
Copy link

junyer commented Apr 9, 2024

scorecard/docs/checks.md

Lines 607 to 613 in b577d79

**Remediation steps**
- Publish the release.
- Generate a signing key.
- Download the release as an archive locally.
- Sign the release archive with this key (should output a signature file).
- Attach the signature file next to the release archive.
- If the source is hosted on GitHub, check out the steps [here](https://wiki.debian.org/Creating%20signed%20GitHub%20releases).

In light of CVE-2024-3094, could the Signed-Releases remediation steps not encourage manual manipulation of the source code archives? :P

FWIW, I filed this feature request for SLSA folks five months ago. Earlier today, I stopped waiting and wrote this workflow using Sigstore instead.
@junyer junyer added the kind/bug Something isn't working label Apr 9, 2024
@raghavkaul raghavkaul added kind/docs Improvements or additions to documentation check/Signed-Releases and removed kind/bug Something isn't working labels Jun 10, 2024
@github-actions GitHub Actions
Copy link

This issue has been marked stale because it has been open for 60 days with no activity.

@github-actions github-actions bot added the Stale label Aug 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
check/Signed-Releases kind/docs Improvements or additions to documentation Stale
Projects
Scorecard - NEW
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@junyer @raghavkaul