Add an option to gh release create
for signing files attached to the release
#9090
Labels
enhancement
a request to improve CLI
gh-attestation
related to the gh attestation command
gh-release
relating to the gh release command
Describe the feature or problem you’d like to solve
In order to pass this OpenSSF Scorecard check, it would be great if any files passed to
gh release create
could optionally get cryptographically signed with a configurable key.Proposed solution
Add a command line option to
gh release create
that takes a key file (and / or GitHub secret when running inside a GitHub action) to automatically sign any uploaded files and upload the respective signature files along with it.Additional context
Maybe also the new
gh attestation
command could be extended instead to sign existing releases, making this a two-step-process of first creating the release and signing its artifacts. However, that would defeat the convenience purpose a bit to not rungpg
manually for all artifacts, but letgh release create
do all the work.The text was updated successfully, but these errors were encountered: