-
Notifications
You must be signed in to change notification settings - Fork 120
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal - Signatures for Carvel Artifacts #668
Conversation
Signed-off-by: Thomas Vitale <[email protected]>
✅ Deploy Preview for carvel canceled.
|
Signed-off-by: Thomas Vitale <[email protected]>
Signed-off-by: Thomas Vitale <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you so much for putting this together 🙏🏼
Just added a few thoughts and called out some "nice to haves"!
Signed-off-by: Thomas Vitale <[email protected]>
Signed-off-by: Thomas Vitale <[email protected]>
Signed-off-by: Thomas Vitale <[email protected]>
@100mik thanks for your review. I have added examples in GitHub Actions of how to verify the signatures for both OCI and binary artifacts (including links to a couple of demos I made). I have also refined the suggestion for the binary artifacts part and included examples of how to integrate Cosign with GoReleaser, since that's the tool used by all Carvel projects. |
Signed-off-by: Thomas Vitale <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The proposal looks good.
The only question I would like to see answered before a thumbs up is, what are the plans for our GitHub action? Should it also verify that the binaries are signed? If so, we need to ensure we are backward compatible since we have older versions without signatures.
@joaopapereira thanks for the review. Do you mean this Action? https://github.com/carvel-dev/setup-action I can see we are currently verifying the checksums against the |
That sounds great to me. I will review it again when you add this part. Thanks for the great work. |
Signed-off-by: Thomas Vitale <[email protected]>
@joaopapereira I have added a section to describe the changes suggested for the Carvel GitHub Action. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! 🚀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thank you so much for the great work !!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are at the point where we can consider this Lazyly approved. @ThomasVitale please update the status and we will be able to merge it.
--- | ||
title: "Signatures for Carvel Artifacts" | ||
authors: [ "Thomas Vitale <[email protected]>" ] | ||
status: "in review" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
status: "in review" | |
status: "accepted" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joaopapereira Thanks, I updated the status
Signed-off-by: Thomas Vitale <[email protected]>
Green lights all the way! |
We should probably work towards having a flow that does not require commits to change statuses in the future 🤔 |
* Proposal - Signatures for Carvel Artifacts Signed-off-by: Thomas Vitale <[email protected]> * Update proposal metadata Signed-off-by: Thomas Vitale <[email protected]> * Improve formatting Signed-off-by: Thomas Vitale <[email protected]> * Update proposal status Signed-off-by: Thomas Vitale <[email protected]> * Improve proposal after review Signed-off-by: Thomas Vitale <[email protected]> * Refined proposal for binaries + examples Signed-off-by: Thomas Vitale <[email protected]> * Fix typo Signed-off-by: Thomas Vitale <[email protected]> * Introduce changes to Carvel GH Action Signed-off-by: Thomas Vitale <[email protected]> * Update proposal status to 'accepted' Signed-off-by: Thomas Vitale <[email protected]> --------- Signed-off-by: Thomas Vitale <[email protected]> Signed-off-by: ashpect <[email protected]>
Proposal for introducing signatures for all Carvel artifacts as previously suggested in #619.