☙ Heals
☙ hobby artist, code witch & variety streamer
☙ part-time pineapple
☙ 36, ♒️♒️♎️, enby/GF, INFP

  • 0 Posts
  • 1 Comment
Joined 1 year ago
cake
Cake day: August 11th, 2023

help-circle
  • Github doesn’t do any signing at all nor do they rally care about the actual output of actions, pipelines or manual releases (all of that is out of their interest scope).

    If there’s any means of a ‘secret store’ for the build actions then you could store a keypair for signing the binaries as far as your target binary format and platforms support it (or go for something like a detached gpg-signature that can be stored with the build or in a central ‘trusted’ repository so the binary can be verified against it later).

    You users however would still have no easy means to verify that signature on most platforms unless they are tech-savvy. (macOS code signing / notarization and gatekeeper check would be an example of a platform that would notify users and even fail to run the binary if it was tampered with).