indygreg
Any plans on code signing the binary releases?
My initial thinking was it wouldn't make sense to sign because the distributions would be redistributed as part of a larger application and would be signed as part of that larger application.
But I understand it can be useful to have pre-signed binaries available. I'll consider doing this as part of the release process. Although I don't have an EV signing certificate for Windows yet (but it is something I may acquire shortly).
That's great news! Thanks for the info. I shall pass it to my boss, who is the one with concerns.
https://github.com/astral-sh/uv/issues/10288 relates and this issue could be reopened?
Not sure if it will speed up the scanning process on the AV side but could make the redistributed uv python install python.exe more 'trustable' for scanning tools and corporations. Along with eventual adoption of https://github.com/rustls/rustls-platform-verifier in uv python install to help with TLS issues.
Some links might help, though the custom nature of this project might preclude use of some of the Github features.
https://github.com/slsa-framework/slsa-github-generator https://github.com/actions/attest-build-provenance https://github.blog/news-insights/product-news/introducing-artifact-attestations-now-in-public-beta/#an-effortless-user-experience https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds https://blog.sigstore.dev/ https://github.com/sigstore/cosign-installer
