Hello!
- Vote on this issue by adding a 👍 reaction
- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
The rgithub elease assets for the step-kms-plugin does not contain a source code archive (step-kms-plugin_.tar.gz) including a Cosign signature like the releases for step-cli and step-certificates (step-ca)
Why is this needed?
The GitHub archives based on the tag does not produce a stable checksum hash which causes from time to time issues during the rebuild of alpine packages, Adding ithe source code archive file to the release artifacts provides a source code archive with a stable checksum which can be used a a source for packaging (for examle Apline Linux packages). Adding it to the checksumtxt and adding a cosign signatures improves the validation of the source code archive for the release.
Hello!
Issue details
The rgithub elease assets for the step-kms-plugin does not contain a source code archive (step-kms-plugin_.tar.gz) including a Cosign signature like the releases for step-cli and step-certificates (step-ca)
Why is this needed?
The GitHub archives based on the tag does not produce a stable checksum hash which causes from time to time issues during the rebuild of alpine packages, Adding ithe source code archive file to the release artifacts provides a source code archive with a stable checksum which can be used a a source for packaging (for examle Apline Linux packages). Adding it to the checksumtxt and adding a cosign signatures improves the validation of the source code archive for the release.