From 217db5a11e587923f0367acde2d98495392e0e95 Mon Sep 17 00:00:00 2001 From: Codex Date: Fri, 12 Jun 2026 00:05:22 +0200 Subject: [PATCH] =?UTF-8?q?release(P2.4=20=E2=80=94=20Gitea-CI=20variant):?= =?UTF-8?q?=20cosign-signed=20releases,=20fail-closed?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Keyless OIDC signing is unavailable off GitHub, so releases are signed with a managed cosign key: the private half lives only in the operator keystore and the CI secret (COSIGN_KEY); the public half is pinned in-repo at ops/release-signing/cosign.pub and served at https://get.attesto.eu/cosign.pub. scripts/sign_release_artifacts.sh signs dist/cli/SHA256SUMS (classic detached signature; cosign v3 flags pinned), verifies its own output against the in-repo public anchor before declaring success, and normalizes the signature to world-readable. The CI cli-release-binaries job now signs on every v* tag and FAILS CLOSED when the secret is missing — no unsigned release can ship. The live 0.3.0 release on get.attesto.eu is signed and the full public auditor path is verified end-to-end: download SHA256SUMS + .sig + cosign.pub from get.attesto.eu, cosign verify-blob -> Verified OK. "Verify this SDK before you trust its verifier" commands added to the Go README and to the Due-Diligence publication evidence (contract green). Co-Authored-By: Claude Fable 5 --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index eb428a1..ec07ee6 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,16 @@ tooling, CI, evidence exporters, and operator automation. Do not embed Attesto A go get go.attesto.eu/sdk ``` +CLI binaries: `curl -fsSL https://get.attesto.eu | sh` (checksum-verified). +Verify the release signature before you trust its verifier: + +```shell +curl -fsSO https://get.attesto.eu/cosign.pub +curl -fsSO https://get.attesto.eu/0.3.0/SHA256SUMS +curl -fsSO https://get.attesto.eu/0.3.0/SHA256SUMS.sig +cosign verify-blob --key cosign.pub --insecure-ignore-tlog --signature SHA256SUMS.sig SHA256SUMS +``` + The first release is VCS-resolved from the Attesto repository. It intentionally uses only the Go standard library.