What would you like to be added:
When rerunning the release workflow, the krel sign blobs should verify if the artifacts in the staging bucket are signed. In case they are, instead of re-signing them we should just verify them to be signed by the expected identity.
Why is this needed:
Most of the release process just noops on the each step when we rereun it. krel sign blob does not follow the same pattern. By not resigning binaries, we have the same guarantees of the other steps, meaning we can safely retry but also that other steps don't need to worry about the consistency of the signing step if it finished in a previous run.
What would you like to be added:
When rerunning the release workflow, the
krel sign blobsshould verify if the artifacts in the staging bucket are signed. In case they are, instead of re-signing them we should just verify them to be signed by the expected identity.Why is this needed:
Most of the release process just noops on the each step when we rereun it.
krel sign blobdoes not follow the same pattern. By not resigning binaries, we have the same guarantees of the other steps, meaning we can safely retry but also that other steps don't need to worry about the consistency of the signing step if it finished in a previous run.