-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add in-toto metadata to python-tuf releases #529
Comments
I'm going to remove "good first issue": The description may be clear to an in-toto expert but as an example I wouldn't have any idea where to start implementing this. Also editing the title to what I think the suggestion is |
With python-tuf builds becoming reproducible (see #1269) we can provide multiple in-toto links for any given release build each signed with a different maintainer key, and create a corresponding in-toto layout that encodes the key authorization and a signature threshold requirement. See |
Description of issue or feature request:
Project releases should include in-toto metadata that can be used to validate the integrity of the release's software supply chain.
Current behavior:
Developer signatures can be provided for each release of the project, both on GitHub and PyPI. However, these signatures do not guarantee that some part of the source->release process was
not compromised.
Expected behavior:
The packaged release should include metadata and a way to verify that the project was packaged as intended. All steps of the source->release procedure should be properly signed and confirmed to be valid, as defined by the project developers.
The text was updated successfully, but these errors were encountered: