Use sigstore software transparency for releases #21524

issue laanwj opened this issue on March 24, 2021
  1. laanwj commented at 7:11 PM on March 24, 2021: member

    Sigstore is an initiative by the Linux Foundation for software supply chain security. The goal is to be able to verify the origin of binaries as well as to ensure software transparency, so to be able to verify that you downloaded the same binary as everyone else. Of course we already sign our releases, but the latter seems important.

    The implementation is under development and available as open source. However the system is not live yet (as of 2021-03-24, there is a public instance test server but they warn it will get wiped).

    But I think as soon as it does go into production use, we should try to use it for our releases.

  2. laanwj added the label Brainstorming on Mar 24, 2021
  3. laanwj added the label Build system on Mar 24, 2021
  4. dlorenc commented at 7:53 PM on March 31, 2021: none

    Just saw this! sigstore maintainer here. We'd love to help out however we can! Feel free to reach out on the mailing list or directly to me.

  5. laanwj commented at 10:44 AM on April 7, 2021: member

    Thank you for the response! We're kind of between build processes at the moment so there is no real hurry.

    On our side, I think we first need to iron out the new (Guix-based) deterministic build process before 0.22 (#21145 for details). From there, we can figure out how best to integrate sigstore into the process.

    I mean, the alternative is to figure how to integrate this into the current (gitian based) build process but as we're moving away from that it doesn't seem worthwhile.

  6. lukehinds commented at 8:14 AM on March 11, 2022: none

    Just revisiting this as sigstore is now a well funded project under the open source security foundation, how are things at present, happy to work with you as we have helped onboard a few communities now.

  7. hebasto commented at 8:49 AM on May 4, 2024: member

    But I think as soon as it does go into production use, we should try to use it for our releases.

    The time has come?

  8. maflcko commented at 9:08 AM on May 4, 2024: member

    Does it offer any benefit over the existing workflow with guix attestations? See https://github.com/bitcoin-core/guix.sigs/

    I presume every key and every attestation would have to be done twice and then uploaded to two different places? Or can sigstore just download and mirror the contents of the https://github.com/bitcoin-core/guix.sigs/ repo on its own?

  9. willcl-ark commented at 2:47 PM on October 21, 2025: member

    This issue hasn’t attracted much interest from other contributors in quite some time.

    Given that, it doesn’t seem important enough to keep open indefinitely. I’m going to close it for now due to lack of activity, but pull requests or renewed discussion are always welcome.

    Comment here if you think this should be re-opened.

  10. willcl-ark closed this on Oct 21, 2025
Contributors
laanwjdlorenclukehindshebastomaflckowillcl-ark
Labels
BrainstormingBuild system
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 15:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me