🛡️ Verifying Release Artifacts#

All release artifact are provided with a build attestation.

Verify the integrity and provenance of an artifact using its associated cryptographically signed attestations.

You can verify an attestation with the GitHub command line by running:

gh attestation verify <path_to_the_release_artifact> --repo whiteprints/whiteprints

You also can verify the authenticity of release artifacts using cosign. To do so, run the following command:

cosign verify-blob \
    --new-bundle-format \
    --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
    --certificate-identity-regexp="^https://github.com/whiteprints/whiteprints/.github/workflows/upload_artifacts.yml?" \
    --bundle <path_to_the_release_artifact>.sigstore.json \
    <path_to_the_release_artifact>

Where:

<path_to_the_artifact> is the path to the artifact you want to verify.
<path_to_the_release_artifact>.sigstore.json is the path to the sigstore bundle associated with the artifact.

The sigstore bundles are available to download in the GitHub action summary that produced them.

For more details on cosign and sigstore, refer to their official documentation.

🛡️ Verifying Release Artifacts#

This Page