this post was submitted on 13 Aug 2023
72 points (96.2% liked)
Open Source
31359 readers
228 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Let's say that I do trust GitHub as the third party. Is it possible to ask GitHub itself to sign the executable with a specific key created for a given workflow, and that only GitHub owns? Maybe it already signs it. I'll look into it.
(My instance won’t fetch content from lemmy.world, I’m not sure why… That’s why I switched to this account)
Github doesn't do any signing at all nor do they rally care about the actual output of actions, pipelines or manual releases (all of that is out of their interest scope).
If there's any means of a 'secret store' for the build actions then you could store a keypair for signing the binaries as far as your target binary format and platforms support it (or go for something like a detached gpg-signature that can be stored with the build or in a central 'trusted' repository so the binary can be verified against it later).
You users however would still have no easy means to verify that signature on most platforms unless they are tech-savvy. (macOS code signing / notarization and gatekeeper check would be an example of a platform that would notify users and even fail to run the binary if it was tampered with).