GitHub has launched Artifact Attestations, a software program signing and verification function based mostly on Sigstore that protects the integrity of software program builds in GitHub Actions workflows. Artifiact Attestations is now out there in a public beta.
Introduced Might 2, Artifact Attestations permits undertaking maintainers to create a “tamper-proof, unforgeable paper path” that hyperlinks software program artifacts to the method that created them. “Downstream shoppers of this metadata can use it as a basis for brand new safety and validity checks by means of coverage evaluations by way of instruments like Rego and Cue,” GitHub wrote within the announcement.
Verification assist initially can be based mostly on GitHub CLI, however this can be expanded to deliver the identical controls to the Kubernetes ecosystem later this yr. Powering Artifact Attestations is the Sigstore open-source undertaking for signing and verifying software program artifacts.
Artifact Attestations helps cut back the complexity of deploying public key infrastructure by inserting belief within the safety of a GitHub account, GitHub stated. That is accomplished by way of signing a doc with a short lived key pair. A public secret’s connected to a certificates related to a construct system’s workload identification. The personal key doesn’t go away course of reminiscence and is discarded instantly after signing. This differs from different approaches to signing that depend on human identities and long-lived keys, GitHub stated.
Establishing Artifact Attestations is finished by including YAML to a GitHub Actions workflow to create an attestation and putting in the GitHub CLI device to confirm it.
Copyright © 2024 IDG Communications, Inc.
