Verifying releases

Cosign signatures

Each release asset is signed with keyless Sigstore/cosign in GitHub Actions. A .sigstore.json bundle is attached for every tarball, SHA256SUMS, and BUILD_INFO.txt.

Example:

curl -LO https://github.com/ljh-sh/macli/releases/latest/download/macli-darwin-universal.tar.xz
curl -LO https://github.com/ljh-sh/macli/releases/latest/download/macli-darwin-universal.tar.xz.sigstore.json

cosign verify-blob \
  --bundle macli-darwin-universal.tar.xz.sigstore.json \
  --certificate-identity-regexp '^https://github.com/ljh-sh/macli/' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  macli-darwin-universal.tar.xz

SLSA provenance

Releases also include an .intoto.jsonl SLSA provenance attestation generated by the OpenSSF slsa-github-generator. You can verify it with slsa-verifier:

slsa-verifier verify-artifact macli-darwin-universal.tar.xz \
  --provenance-path multiple.intoto.jsonl \
  --source-uri github.com/ljh-sh/macli \
  --source-versioned-tag "$(macli --version | head -1)"