It would be really nice if GitHub automatically signed git pushes (maybe as an opt-in thing, and maybe tags and tarballs too) so we could prove that a certain build was made from what was pushed to a certain GitHub branch at a certain time.
IMHO would replace 80% of the use cases for git push or commit signing, with zero DX overhead: developers would still use what they use now to auth to GitHub, and then downstreams would have signed releases or point-in-time to build from.
Filippo Valsorda :go: /
npub1wh…akn2m
2023-06-06 11:31:45
Author Public Key
npub1whzyg92c6fsvpjjcnn504z0a2pfwenctp872sgmedqg2np4drj8qwakn2mPublished at
2023-06-06 11:31:45Event JSON
{
"id": "f5615ea8f18e39a756a152f7a44f000e7b5b2d35b587866b1b0ff3bb25800316",
"pubkey": "75c4441558d260c0ca589ce8fa89fd5052eccf0b09fca823796810a986ad1c8e",
"created_at": 1686051105,
"kind": 1,
"tags": [
[
"mostr",
"https://abyssdomain.expert/users/filippo/statuses/110497045267596945"
]
],
"content": "It would be really nice if GitHub automatically signed git pushes (maybe as an opt-in thing, and maybe tags and tarballs too) so we could prove that a certain build was made from what was pushed to a certain GitHub branch at a certain time.\n\nIMHO would replace 80% of the use cases for git push or commit signing, with zero DX overhead: developers would still use what they use now to auth to GitHub, and then downstreams would have signed releases or point-in-time to build from.",
"sig": "64d7479f3e9325d62de3e4e1fa957b9b8b9806fd455c20694ed2a51c11b1b8287e31736f8f230e5b60112a57d714d5f36bafe73549d9cee4ed29a49ce35e9be0"
}