Verifying releases
Cosign signatures
Each release asset is signed with keyless Sigstore/cosign in GitHub Actions. A
.sigstore.json bundle is attached for every tarball, SHA256SUMS, and
BUILD_INFO.txt.
Example:
curl -LO https://github.com/ljh-sh/macli/releases/latest/download/macli-darwin-universal.tar.xz
curl -LO https://github.com/ljh-sh/macli/releases/latest/download/macli-darwin-universal.tar.xz.sigstore.json
cosign verify-blob \
--bundle macli-darwin-universal.tar.xz.sigstore.json \
--certificate-identity-regexp '^https://github.com/ljh-sh/macli/' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
macli-darwin-universal.tar.xz
SLSA provenance
Releases also include an .intoto.jsonl SLSA provenance attestation generated by
the OpenSSF slsa-github-generator. You can verify it with
slsa-verifier:
slsa-verifier verify-artifact macli-darwin-universal.tar.xz \
--provenance-path multiple.intoto.jsonl \
--source-uri github.com/ljh-sh/macli \
--source-versioned-tag "$(macli --version | head -1)"