release(P2.4 — Gitea-CI variant): cosign-signed releases, fail-closed

Keyless OIDC signing is unavailable off GitHub, so releases are signed with a
managed cosign key: the private half lives only in the operator keystore and
the CI secret (COSIGN_KEY); the public half is pinned in-repo at
ops/release-signing/cosign.pub and served at https://get.attesto.eu/cosign.pub.

scripts/sign_release_artifacts.sh signs dist/cli/SHA256SUMS (classic detached
signature; cosign v3 flags pinned), verifies its own output against the
in-repo public anchor before declaring success, and normalizes the signature
to world-readable. The CI cli-release-binaries job now signs on every v* tag
and FAILS CLOSED when the secret is missing — no unsigned release can ship.

The live 0.3.0 release on get.attesto.eu is signed and the full public
auditor path is verified end-to-end: download SHA256SUMS + .sig + cosign.pub
from get.attesto.eu, cosign verify-blob -> Verified OK. "Verify this SDK
before you trust its verifier" commands added to the Go README and to the
Due-Diligence publication evidence (contract green).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Codex
2026-06-12 00:05:22 +02:00
parent ce9b8ccfbb
commit 217db5a11e

View File

@@ -10,6 +10,16 @@ tooling, CI, evidence exporters, and operator automation. Do not embed Attesto A
go get go.attesto.eu/sdk
```
CLI binaries: `curl -fsSL https://get.attesto.eu | sh` (checksum-verified).
Verify the release signature before you trust its verifier:
```shell
curl -fsSO https://get.attesto.eu/cosign.pub
curl -fsSO https://get.attesto.eu/0.3.0/SHA256SUMS
curl -fsSO https://get.attesto.eu/0.3.0/SHA256SUMS.sig
cosign verify-blob --key cosign.pub --insecure-ignore-tlog --signature SHA256SUMS.sig SHA256SUMS
```
The first release is VCS-resolved from the Attesto repository. It intentionally
uses only the Go standard library.