GitHub Release Attestations #943
Labels
github enterprise
Product SKU: GitHub Enterprise
preview
Feature phase: Preview
repositories
Feature: Github Repositories
Summary
GitHub users need to be able to rely on constructed artifacts to be immutable after they’ve been built. This is something that has traditionally been seen as nearly impossible due to the fact that Releases (a GitHub feature) are tightly bound to tags (a Git feature) and Git tags are mutable. However, with the introduction of GitHub root certificate authority and Sigstore infrastructure we can create tamper-proof attestations that will associate a collection of artifacts with a specific release pURL, repo-of-origin, git tag, and SHA.
Intended Outcome
Users of GitHub releases will be able to verify that a given binary they have downloaded came from a particular GitHub Release.
How will it work?
Customers will be able to:
The text was updated successfully, but these errors were encountered: