rasterstate/sccache-action
2
0
Fork 0
Code Issues 5 Pull requests Releases 1 Activity Actions

Optional cosign/sigstore signature verification (verify-signature input) #4

New issue
Open
opened 2026-05-28 02:56:25 +00:00 by stephen · 0 comments
stephen commented 2026-05-28 02:56:25 +00:00
Owner
Copy link

SHA-256 verification (shipped in v1.1.0) defends against a tampered asset on the CDN/transport, but not against a compromise of the Mozilla release flow that re-signs both tarball and sidecar. Cosign/sigstore verification would close that gap.

Blocked: as of sccache v0.15.0, Mozilla does not publish cosign signatures for the release assets. If/when upstream starts signing, add an opt-in verify-signature input (default off until cosign is reliably present on target runners).

Tracked in SECURITY.md under "What is not done yet".

SHA-256 verification (shipped in v1.1.0) defends against a tampered asset on the CDN/transport, but not against a compromise of the Mozilla release flow that re-signs both tarball and sidecar. Cosign/sigstore verification would close that gap. Blocked: as of sccache v0.15.0, Mozilla does not publish cosign signatures for the release assets. If/when upstream starts signing, add an opt-in `verify-signature` input (default off until `cosign` is reliably present on target runners). Tracked in SECURITY.md under "What is not done yet".
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v1
v1.1.2
v1.1.1
v1.1.0
v1.0.0
Labels
Clear labels   
backlog
Accepted but not scheduled

  
blocked
Blocked or stalled waiting on external progress

  
blocked:upstream
Waiting on upstream sccache

  
ci
Test workflow / runners

  
converted
Converted into tracked work

  
docs
Documentation

  
enhancement
New feature or input

  
opportunity
Potential product or business opportunity

  
p1
Priority 1

  
p2
Priority 2

  
p3
Priority 3

  
parked
Paused intentionally until later

  
security
Supply-chain / verification

No labels
backlog
blocked
blocked:upstream
ci
converted
docs
enhancement
opportunity
p1
p2
p3
parked
security
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rasterstate/sccache-action#4
No description provided.