Supply-chain security
As software supplychain security concerns and requirements grow, dist is
committed to making compliance with policies and regulations as turnkey as possible.
If you have an integration you are looking for file an issue or join our Discord.
Signing
- Windows Codesigning
- 🔜 macOS Codesigning
- 🔜 Linux Codesigning
- 🔜 Sigstore Signing
- 🔜 Windows Trusted Signing
Attestation
SBOMs and Dependency Managers
cargo-cyclonedx
dist can optionally generate a CycloneDX-format Software Bill of Materials (SBOM) for Rust projects using the cargo-cyclonedx tool. This data is stored as a standalone bom.xml file which is distributed alongside your binaries in your tarballs. Users can validate that SBOM file using any compatible CycloneDX tool. For more information about using this feature, see the config documentation.
cargo-auditable
cargo-auditable can optionally be used to embed dependency information into your Rust binaries, making it possible for users to check your binaries for the full dependency tree they were built from along with their precise versions. This information can then be checked later to scan your binary for any known vulnerabilities using the cargo-audit tool. For more information about using this feature, see the config documentation.
Software identification
dist can optionally generate an OmniBOR artifact ID for software artifacts using the omnibor-cli tool. These identifiers are reproducible and unique to a specific version of your software. For more information about using this feature, see the config documentation.