| Software installers should check hashes and signatures before installing anything. Doesn't GitHub support package repositories for signed packages? https://slsa.dev/get-started explains about verifiable build provenance attestations: > SLSA 2 > To achieve SLSA 2, the goals are to: > - Run your build on a hosted platform that generates and signs provenance > - Publish the provenance to allow downstream users to verify > [...] > SLSA 3 > To achieve SLSA 3, you must: > - Run your build on a hosted platform that generates and signs provenance > - Ensure that build runs cannot influence each other > - Produce signed provenance that can be verified as authentic And: > For now, the convention is to keep the provenance attestation with your artifact. Though Sigstore is becoming more and more popular, the format of the provenance is currently tool-specific. |
[0]: https://aquaproj.github.io/