Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support verifying packages with minisign #2978

Closed
suzuki-shunsuke opened this issue Jul 2, 2024 · 0 comments · Fixed by #2994
Closed

Support verifying packages with minisign #2978

suzuki-shunsuke opened this issue Jul 2, 2024 · 0 comments · Fixed by #2994
Labels
enhancement New feature or request security
Milestone
v2.31.0

Comments

@suzuki-shunsuke
Copy link
Member

Feature Overview

Support verifying packages with minisign.

Why is the feature needed?

To install some packages securely.
For example, zig is signed by minisign.

Workaround

No response

Example Code

This feature is similar to Cosign and slsa-verifier.

https://aquaproj.github.io/docs/reference/registry-config/cosign/

This feature depends on minisign.
So aqua should install minisign transparently same as Cosign and slsa-verifier.

registry.yaml

minisign:
  enabled: true
  public_key: "RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U"
  # public_key_url: https://example/signature.pub

Note
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request security
Projects
No open projects
main
Status: Done
Milestone
v2.31.0
Development

Successfully merging a pull request may close this issue.

feat: support verifying with minisign aquaproj/aqua
1 participant
@suzuki-shunsuke