Skip to content

v0.9.7-rc1

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 29 Apr 17:58
· 12 commits to main since this release
v0.9.7-rc1
cd5b788
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Test release using the new release process. Code is functionally identical to v0.9.6.

Verify a binary

# Set the release version and your target architecture
# Architecture options: darwin_arm64, linux_arm64, linux_x86-64
export REPO=Commit-Boost/commit-boost-client
export VERSION=vX.Y.Z
export ARCH=linux_x86-64
export BIN=commit-boost-pbs

# Download the binary tarball and its signature bundle
curl -L \
	-o "$BIN-$VERSION-$ARCH.tar.gz" \
	"https://github.com/$REPO/releases/download/$VERSION/$BIN-$VERSION-$ARCH.tar.gz"

curl -L \
  -o "$BIN-$VERSION-$ARCH.tar.gz.sigstore.json" \
  "https://github.com/$REPO/releases/download/$VERSION/$BIN-$VERSION-$ARCH.tar.gz.sigstore.json"

# Verify the binary was signed by the official CI pipeline
cosign verify-blob \
  "$BIN-$VERSION-$ARCH.tar.gz" \
  --bundle "$BIN-$VERSION-$ARCH.tar.gz.sigstore.json" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  --certificate-identity="https://github.com/$REPO/.github/workflows/release.yml@refs/heads/main"

A successful verification prints Verified OK. If the binary was modified after being built by CI, verification will fail.

The .sigstore.json bundle for each binary is attached to the release alongside the tarball itself.

Acknowledgements

Assets 20
Loading