NAME

Dist::Zilla::Plugin::SigStore::SignRelease - Sign Release with SigStore

VERSION

version 0.02

SYNOPSIS

In your dist.ini:

[SigStore::SignRelease]
releaser_name      = @Filter/UploadToCPAN       ; The releaser that is being used
upload_to_cpan     = 1             ; Upload the sigstore bundle to CPAN (optional)
sigstore_extension = sigstore.json ; Extension of the sigstore bundle (optional)
answer_yes         = 1             ; Answer yes to any cosign messages (Default = 0)

Note: that upload_to_cpan defaults to true (1).

DESCRIPTION

This plugin will sign a CPAN Release with SigStore

Required Plugins

This plugin requires that your Dist::Zilla configuration do the following:

1. Create a release

There are numerous combinations of Dist::Zilla plugins that can perform those functions.

SIGSTORE INFORMATION

The current version requires the installation of the cosign application. That application can be accessed via the SigStore web site:

https://docs.sigstore.dev/cosign/system_config/installation/

CPAN SUPPORT

As of version 0.01 there is no support in PAUSE or any CPAN client for sigstore signature verification.

MANUAL SIGNATURE VERIFICATION

cosign verify-blob Dist-Zilla-Plugin-SigStore-SignRelease-0.01.tar.gz \
    --bundle Dist-Zilla-Plugin-SigStore-SignRelease-0.01.tar.gz.sigstore.json \
    --certificate-identity timlegge@gmail.com \
    --certificate-oidc-issuer https://accounts.google.com

The GitHub repository also includes a script in the examples directory that can be used to manually verify signatures.

https://github.com/timlegge/perl-Dist-Zilla-Plugin-SigStore/blob/main/example/verify_sigstore.pl

ATTRIBUTES

upload_to_cpan true (1) or false (0) - Default = 1
sigstore_extension Defaults to 'sigstore.json' (Optional) The extension is appended to the end of the distribution's filename.
```
example: Distribution-0.99.tar.gz.sigstore.json
```
answer_yes true (1) or false (0) - Default = 0 This answers yes to any cosign messages that require an answer.
releaser_name The name of the Dist::Zilla releaser plugin to use for uploading the sigstore bundle. Defaults to '@Filter/UploadToCPAN'. Change this if your bundle plugin has a different name in dist.ini.
```
example: releaser_name = @Filter/UploadToCPAN
```

METHODS

before_release

The processing function that is called automatically before a release. It attempts to locate the plugin named by releaser_name. If found, it stores the releaser via $self-_releaser> for use during after_release.
after_release

The main processing function that is called automatically after the release is complete.

It signs the release archive with SigStore's cosign and uploads it to PAUSE (if upload_to_cpan = 1)

AUTHOR

Timothy Legge timlegge@gmail.com

COPYRIGHT AND LICENSE

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)