release(P2.4 — Gitea-CI variant): cosign-signed releases, fail-closed
Keyless OIDC signing is unavailable off GitHub, so releases are signed with a managed cosign key: the private half lives only in the operator keystore and the CI secret (COSIGN_KEY); the public half is pinned in-repo at ops/release-signing/cosign.pub and served at https://get.attesto.eu/cosign.pub. scripts/sign_release_artifacts.sh signs dist/cli/SHA256SUMS (classic detached signature; cosign v3 flags pinned), verifies its own output against the in-repo public anchor before declaring success, and normalizes the signature to world-readable. The CI cli-release-binaries job now signs on every v* tag and FAILS CLOSED when the secret is missing — no unsigned release can ship. The live 0.3.0 release on get.attesto.eu is signed and the full public auditor path is verified end-to-end: download SHA256SUMS + .sig + cosign.pub from get.attesto.eu, cosign verify-blob -> Verified OK. "Verify this SDK before you trust its verifier" commands added to the Go README and to the Due-Diligence publication evidence (contract green). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
10
README.md
10
README.md
@@ -10,6 +10,16 @@ tooling, CI, evidence exporters, and operator automation. Do not embed Attesto A
|
|||||||
go get go.attesto.eu/sdk
|
go get go.attesto.eu/sdk
|
||||||
```
|
```
|
||||||
|
|
||||||
|
CLI binaries: `curl -fsSL https://get.attesto.eu | sh` (checksum-verified).
|
||||||
|
Verify the release signature before you trust its verifier:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
curl -fsSO https://get.attesto.eu/cosign.pub
|
||||||
|
curl -fsSO https://get.attesto.eu/0.3.0/SHA256SUMS
|
||||||
|
curl -fsSO https://get.attesto.eu/0.3.0/SHA256SUMS.sig
|
||||||
|
cosign verify-blob --key cosign.pub --insecure-ignore-tlog --signature SHA256SUMS.sig SHA256SUMS
|
||||||
|
```
|
||||||
|
|
||||||
The first release is VCS-resolved from the Attesto repository. It intentionally
|
The first release is VCS-resolved from the Attesto repository. It intentionally
|
||||||
uses only the Go standard library.
|
uses only the Go standard library.
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user