Artifact signing #3
Description
We need a coherent public story around artifact signing and verification for our client tools.
The story should describe the threat model we are protecting against. What points in the delivery chain are protected against what type of attacker by having signatures and verifying them. Is undesirable write to CF KV store more or less likely than GitHub Secrets disclosure (eg, via bad workflow)? What about GitHub Artifact Hosting vs GitHub Secrets?
This includes versioned builds and nightlies.
My tentative thinking is a cosign key which lives in GitHub Secrets in the nats-io and CE orgs. Not sure if we should have a separate stable and a nightly signer, or one key for both. If we use cosign then we can sign checksum files and docker images.