Context
OpenSSF Best Practices silver criterion signed_releases requires cryptographically signed release results and a documented verification process.
The release workflow on origin/main contains keyless cosign signing steps, but the current public release v0.8.0 does not include .sig/.pem signature assets. Until a public release includes signatures and verification instructions, the criterion should remain unmet.
Scope
- Verify why
v0.8.0 lacks public signature assets despite the current release workflow signing step.
- Publish signatures and certificates for release binaries, release evidence, release capsules, and other release assets in scope.
- Document verification commands for external users.
- Ensure the release workflow fails if generated signatures are not uploaded.
- Update the Best Practices submission once a public release can be verified.
Done when
- A public release includes signature and certificate artifacts for each signed release asset in scope.
- External users can verify those signatures without private project access.
signed_releases can be marked met with a release URL and verification documentation.
Non-goals
Context
OpenSSF Best Practices silver criterion
signed_releasesrequires cryptographically signed release results and a documented verification process.The release workflow on
origin/maincontains keyless cosign signing steps, but the current public releasev0.8.0does not include.sig/.pemsignature assets. Until a public release includes signatures and verification instructions, the criterion should remain unmet.Scope
v0.8.0lacks public signature assets despite the current release workflow signing step.Done when
signed_releasescan be marked met with a release URL and verification documentation.Non-goals