GPG Artifact Sign Experiment
Minor experiment with a shell script for signing artifacts that would be generated from a build process.
- Build tooling can support multiple checksum algorithms (sha256/sha1/md5/sha512/etc)
- Docker Container Trust (DCT) didn’t fit with the usecase/portability desired
- GPG is the standard way for doing this (can this be packaged into something more portable?)
- Design should aim to be agnostic of GitHub Releases or any other platform
- Build tooling likely doesn’t need to understand the concept of “signing” (or should it?)
- If build tools understand signing, does that mean there need to be ‘Developer Keys’?
- Is this really just as just a matter of familiarity?
- The CI/Build process is responsible for signing files to assert that “it” was responsible for the build (e.g. not just dev artifacts published to S3)