Problem
Release artifacts include SHA256 checksums but no cryptographic signatures. Users can verify integrity (file was not corrupted) but not authenticity (file was produced by the project maintainers). A compromised CDN or mirror could serve tampered binaries with valid checksums.
Suggested Fix
Add cosign signing to the release workflow:
- Sign release binaries with cosign (keyless or with a stored key)
- Publish
.sig files alongside binaries
- Document verification instructions in the installation guide
Source
Security audit, 2026-03-23.
Problem
Release artifacts include SHA256 checksums but no cryptographic signatures. Users can verify integrity (file was not corrupted) but not authenticity (file was produced by the project maintainers). A compromised CDN or mirror could serve tampered binaries with valid checksums.
Suggested Fix
Add cosign signing to the release workflow:
.sigfiles alongside binariesSource
Security audit, 2026-03-23.