Skip to main content

Release Verification

Verify the provenance and integrity of release artifacts published by this repository. Each release includes cryptographic attestations generated through GitHub Actions using Sigstore keyless signing, providing tamper-evident proof that artifacts were built from this repository's source code.

Prerequisites

RequirementMinimum VersionPurpose
GitHub CLI2.49.0+gh attestation verify subcommand for validation

Install or update GitHub CLI: https://cli.github.com/

Verify Release Artifacts

Download the release artifact from the GitHub Releases page, then verify its provenance attestation:

gh attestation verify source-v1.2.3.tar.gz \
  --repo microsoft/physical-ai-toolchain

Replace source-v1.2.3.tar.gz with the actual release artifact filename.

To verify the SBOM attestation specifically:

gh attestation verify source-v1.2.3.tar.gz \
  --repo microsoft/physical-ai-toolchain \
  --predicate-type https://spdx.dev/Document

What Verification Confirms

Successful verification proves three properties:

  • The Sigstore certificate identity is bound to this repository's GitHub Actions workflow, confirming the artifact was produced by an authorized CI/CD pipeline
  • A Rekor transparency log entry exists for the signing event, providing an immutable, publicly auditable record
  • The artifact digest matches the signed attestation, confirming the file has not been modified since signing

Inspect the SBOM

Each release includes an SPDX SBOM attestation. Download and inspect the SBOM contents using the GitHub CLI and jq:

gh attestation verify source-v1.2.3.tar.gz \
  --repo microsoft/physical-ai-toolchain \
  --predicate-type https://spdx.dev/Document \
  --format json | jq '.verificationResult.statement.predicate'

The SBOM follows the SPDX 2.3 specification and lists all package dependencies included in the release artifact.