FR: signed docker images #8670
Labels
help wanted
Contribution especially encouraged
releases
Related to building and distributing release artifacts of uv
Comments
zanieb
added
help wanted
zanieb
pushed a commit
that referenced
this issue
Jan 31, 2025
cosign uses the GitHub action ID token to retrieve an ephemeral code signing certificate from Fulcio, and store the signature in the Rekor transparency log. Once an image has been successfully signed, you should be able to verify the signature with: ```sh cosign verify ghcr.io/astral-sh/uv:latest --certificate-identity-regexp='.*' --certificate-oidc-issuer-regexp='.*' ``` Closes #8670
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We'd appreciate it greatly if the docker images produced for uv were signed.
Github has provided a blog post with a sample Github Actions step, as well as a sample workflow that uses key-less signing with
cosign, to accomplish this.The text was updated successfully, but these errors were encountered: