blackbox_exporter icon indicating copy to clipboard operation
blackbox_exporter copied to clipboard
verified publisher icon prometheus

feature request: please sign your releases

Open udf2457 opened this issue 1 year ago • 1 comments

It is easier than ever to do in 2024! You can even do it fully-automated via Github Actions, Github OIDC and Sigstore "keyless" signing.

udf2457 avatar Apr 20 '24 20:04 udf2457

Useful references: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator

udf2457 avatar Apr 23 '24 12:04 udf2457

Hi, it needs to be a prometheus org wide decision, and can't be done in just blackbox_exporter. please start a discussion about release signing in community.

also see:

If you are concerned about the exact provenance of your binaries, it is recommended to build them yourself rather than relying on the pre-built binaries provided by the project.

from: https://prometheus.io/docs/operating/security/#build-process

electron0zero avatar Dec 31 '24 20:12 electron0zero