Installation script: Support checksum signature verification #1627
Labels
enhancement
New feature or request
Comments
|
Hi @hibare, thank you for the suggestion! I think we would be open to this feature in the install script, especially if it were triggered by a command line flag. We are hesitant to make our installation script rely on a 3rd party program (cosign), but if it were an optional parameter I think that would be fine. Is this something you'd be interested in working on? We'd be happy to help. |
|
Hello @tgerla Yes, it'll be an optional parameter to the installation script. I'll be submitting a pull request in the coming days. |
wagoodman
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to be added:
Grype simplifies the installation process through a convenient script. The current script includes a checksum validation step for the binary being installed. Since Grype utilizes cosign to sign the checksum file, it would be beneficial to enhance the installation script by incorporating checksum signature validation.
Why is this needed:
This enhancement ensures consumers can effortlessly verify the installation of binaries, eliminating the need for manual verification.
Additional context:
The text was updated successfully, but these errors were encountered: