To further improve supply chain security and provide an additional modern trust mechanism beside GPG signatures, trusted timestamps, and in-toto attestations, the project should integrate the Sigstore Maven Plugin into the Maven build process.
Goal
Automatically sign produced Maven artifacts during release builds using Sigstore keyless signing via GitHub Actions OIDC identity.
To further improve supply chain security and provide an additional modern trust mechanism beside GPG signatures, trusted timestamps, and in-toto attestations, the project should integrate the Sigstore Maven Plugin into the Maven build process.
Goal
Automatically sign produced Maven artifacts during release builds using Sigstore keyless signing via GitHub Actions OIDC identity.