GitHub Artifact Attestations, based on Sigstore, signs and verifies the integrity of software artifacts in GitHub Actions workflows. Credit: Fré Sonneveld GitHub has introduced Artifact Attestations, a software signing and verification feature based on Sigstore that protects the integrity of software builds in GitHub Actions workflows. Artifiact Attestations is now available in a public beta. Announced May 2, Artifact Attestations allows project maintainers to create a “tamper-proof, unforgeable paper trail” that links software artifacts to the process that created them. “Downstream consumers of this metadata can use it as a foundation for new security and validity checks through policy evaluations via tools like Rego and Cue,” GitHub wrote in the announcement. Verification support initially will be based on GitHub CLI, but this will be expanded to bring the same controls to the Kubernetes ecosystem later this year. Powering Artifact Attestations is the Sigstore open-source project for signing and verifying software artifacts. Artifact Attestations helps reduce the complexity of deploying public key infrastructure by placing trust in the security of a GitHub account, GitHub said. This is done via signing a document with a temporary key pair. A public key is attached to a certificate associated with a build system’s workload identity. The private key does not leave process memory and is discarded immediately after signing. This differs from other approaches to signing that rely on human identities and long-lived keys, GitHub said. Setting up Artifact Attestations is done by adding YAML to a GitHub Actions workflow to create an attestation and installing the GitHub CLI tool to verify it. Related content analysis Beyond the usual suspects: 5 fresh data science tools to try today The mid-month report includes quick tips for easier Python installation, a new VS Code-like IDE just for Python and R users, and five newer data science tools you won't want to miss. By Serdar Yegulalp Jul 12, 2024 2 mins Python Programming Languages Software Development analysis Generative AI won’t fix cloud migration You’ve probably heard how generative AI will solve all cloud migration problems. It’s not that simple. Generative AI could actually make it harder and more costly. By David Linthicum Jul 12, 2024 5 mins Generative AI Artificial Intelligence Cloud Computing news HR professionals trust AI recommendations HireVue survey finds 73% of HR professionals trust AI to make candidate recommendations, while 75% of workers are opposed to AI making hiring decisions. By Paul Krill Jul 11, 2024 3 mins Technology Industry Careers how-to Safety off: Programming in Rust with `unsafe` What does it mean to write unsafe code in Rust, and what can you do (and not do) with the 'unsafe' keyword? The facts may surprise you. By Serdar Yegulalp Jul 11, 2024 8 mins Rust Programming Languages Software Development Resources Videos