You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: user/securely-signing-software.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ You will be able to sign container images or any other artifacts (blobs) which a
14
14
Before getting started, make sure you have:
15
15
16
16
* A key available within a Travis CI build job.
17
-
* Cosign pre-installed in the Linux build environments (this is maintained bny Travis CI).
17
+
* Cosign pre-installed in the Linux build environments (this is maintained by Travis CI).
18
18
19
19
### Option 1: Upload Key directly to Travis CI
20
20
@@ -93,6 +93,7 @@ We recommend considering following security measures:
93
93
* using separate key just for purpose of file/image signing
94
94
* using private repository to trigger builds, during which the files are signed, if possible
95
95
* reviewing who has push/write access to such repository
96
+
* reviewing Repository Settings, particularly the [Security Settings -> Share SSH key with forks](user/web-ui#share-ssh-keys-with-forks) setting
96
97
* excluding a build, which signs the release to a separate account/organization (if possible and viable) with limited list of collaborators
97
98
* [limiting access to repository job logs](/user/disable-job-logs/) in individual repository settings
98
99
* if using Hashicorp Vault KMS as a source of the key used for signing: always encrypt secrets needed to connect to Vault in the respective Repository Settings or the .travis.yml file
0 commit comments