FR: provide the signature for '*.sha256' artefacts

[bb-Ricardo]

In order to check for new releases and changes it is important to verify the provided signatures.

In this case the checksum file has no signature and we need to download the binary to verify that the signature matches the binary and then we can use the checksum to verify in our systems if the correct version is present.

Best solution would be:

• create a k8s.io checksum file containing all sha256 checksums for all currently released binaries
• sign said checksum file using the same mechanism for signing binaries
• provide downloads for
  • all binaries checksum file
  • signature of checksum file
  • signature certificate of checksum file

[ameukam]

cc @kubernetes/release-engineering

[xmudrii]

This seems similar to #3222, I'm going to transfer it to the k/release repo
/transfer release

[xmudrii]

cc @cpanato @puerco for feedback
/priority important-longterm
/triage accepted

[xmudrii]

/kind feature

[bb-Ricardo]

Hi,

#3222 (comment)

Just applying this proposed change would highly mitigate the necessity of downloading the binary blobs to verify the signature of each blob.

[k8s-triage-robot]

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

• Confirm that this issue is still relevant with /triage accepted (org members only)
• Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted