> Q8: What should you look for when selecting artifacts from a registry?
> ANSWER: That artifacts have been cryptographically and verifiably signed
Great to see this becoming an expectation, or at least a well known aspiration. The link to the sigstore website provides a good introduction about how to achieve this goal.[0]
There's no fundamental reason why getting a malicious binary onto someone's machine should be easier than getting malicious source code into a repo, but unfortunately catching malicious source code might be "the other 90% of the problem", and might ultimately require something like decentralised developer reputation vouching, which is far from being a solved problem.
> ANSWER: That artifacts have been cryptographically and verifiably signed
Great to see this becoming an expectation, or at least a well known aspiration. The link to the sigstore website provides a good introduction about how to achieve this goal.[0]
There's no fundamental reason why getting a malicious binary onto someone's machine should be easier than getting malicious source code into a repo, but unfortunately catching malicious source code might be "the other 90% of the problem", and might ultimately require something like decentralised developer reputation vouching, which is far from being a solved problem.
[0] https://www.sigstore.dev/