|
|
|
|
|
|
by ejholmes
2874 days ago
|
|
|
General rule of thumb for secure package distribution: 1. Is the identifier mutable? Make sure it points to a content addressable identifier (SHA2), and sign that link.
2. Is it a content addressable identifier? Nothing to do. When it comes to signing in git, signing tags is usually where you see the most value (mutable identifier that points to a git tree, which is content addressable). You’re just trying to improve the trust in saying “Hey, v1.2 is this SHA digest”. |
|
|