Request
Releases publish checksums.txt (goreleaser), and #647 makes install-cli.sh verify the archive against it. But checksums.txt is fetched from the same release over the same HTTPS as the artifact, so it provides integrity, not protection against a compromised release host. Signing checksums.txt with cosign keyless (sigstore) gives a real, out-of-band trust anchor.
Proposed changes (producer side)
.goreleaser.yaml — add a signs block:
signs:
- cmd: cosign
artifacts: checksum
signature: "${artifact}.sig"
certificate: "${artifact}.pem"
args: ["sign-blob","--output-signature=${signature}","--output-certificate=${certificate}","${artifact}","--yes"]
output: true
.github/workflows/release.yaml — add id-token: write to permissions (currently contents: write) and install cosign before goreleaser:
- uses: sigstore/cosign-installer@v3
This uploads checksums.txt.sig + checksums.txt.pem to each release. Keyless signing ties the signature to this repo's GitHub Actions OIDC identity.
Consumer side
cosign isn't preinstalled on most machines, so the curl | bash installer can't hard-require it. Suggested: install-cli.sh does an optional cosign verify-blob (pinning --certificate-oidc-issuer https://token.actions.githubusercontent.com and a --certificate-identity-regexp for this repo's release workflow) when cosign is present, falling back to the checksum check otherwise. Security-conscious users / CI can verify explicitly.
Notes
The signing change only runs in the release workflow on a tag, so it needs to be validated by an actual release. Happy to open a PR with the goreleaser + workflow diff and the optional install-script verify path if this is something you'd like to adopt.
Request
Releases publish
checksums.txt(goreleaser), and #647 makesinstall-cli.shverify the archive against it. Butchecksums.txtis fetched from the same release over the same HTTPS as the artifact, so it provides integrity, not protection against a compromised release host. Signingchecksums.txtwith cosign keyless (sigstore) gives a real, out-of-band trust anchor.Proposed changes (producer side)
.goreleaser.yaml— add a signs block:.github/workflows/release.yaml— addid-token: writetopermissions(currentlycontents: write) and install cosign before goreleaser:This uploads
checksums.txt.sig+checksums.txt.pemto each release. Keyless signing ties the signature to this repo's GitHub Actions OIDC identity.Consumer side
cosignisn't preinstalled on most machines, so thecurl | bashinstaller can't hard-require it. Suggested:install-cli.shdoes an optionalcosign verify-blob(pinning--certificate-oidc-issuer https://token.actions.githubusercontent.comand a--certificate-identity-regexpfor this repo's release workflow) when cosign is present, falling back to the checksum check otherwise. Security-conscious users / CI can verify explicitly.Notes
The signing change only runs in the release workflow on a tag, so it needs to be validated by an actual release. Happy to open a PR with the goreleaser + workflow diff and the optional install-script verify path if this is something you'd like to adopt.