@@ -91,63 +91,120 @@ Run the following command to verify the installation
9191Verifying release integrity
9292---------------------------
9393
94- Every dfetch release is signed with SLSA provenance attestations. To verify an installed package, use the `GitHub CLI <https://cli.github.com/ >`_:
94+ Every dfetch release carries cryptographic attestations signed by GitHub Actions
95+ and anchored in `Sigstore <https://www.sigstore.dev/ >`_. There are two
96+ complementary kinds:
97+
98+ - **SLSA build provenance ** — answers *"where did this come from?" *: proves the
99+ artifact was produced from the official source commit by the official CI
100+ workflow, and records the exact inputs used at build time.
101+ - **SBOM attestation ** (CycloneDX) — answers *"what is inside it?" *: lists every
102+ dependency bundled in the package so you can audit its composition.
103+
104+ Binary installers carry **both ** kinds of attestation (signed by ``build.yml ``).
105+ Python packages installed from PyPI carry an **SBOM attestation only ** (signed by
106+ ``python-publish.yml ``).
107+
108+ To verify, use the `GitHub CLI <https://cli.github.com/ >`_. Pass
109+ ``--predicate-type `` to target one kind specifically; omit it to accept either.
95110
96111.. tabs ::
97112
98113 .. tab :: Linux
99114
100- **For pip installations: **
115+ **Binary installer — verify build provenance: **
116+
117+ .. code-block :: bash
118+
119+ $ gh attestation verify dfetch-< version> -nix.deb \
120+ --repo dfetch-org/dfetch \
121+ --predicate-type https://slsa.dev/provenance/v1 \
122+ --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/build.yml@refs/tags/v< version> \
123+ --cert-oidc-issuer https://token.actions.githubusercontent.com
124+
125+ **Binary installer — verify SBOM attestation: **
101126
102127 .. code-block :: bash
103128
104- $ gh attestation verify --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/python-publish.yml@refs/tags/v< version> \
105- --cert-oidc-issuer https://token.actions.githubusercontent.com \
106- ~ /.local/lib/python3.x/site-packages/dfetch-< version> .dist-info/
129+ $ gh attestation verify dfetch-< version> -nix.deb \
130+ --repo dfetch-org/dfetch \
131+ --predicate-type https://cyclonedx.org/bom \
132+ --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/build.yml@refs/tags/v< version> \
133+ --cert-oidc-issuer https://token.actions.githubusercontent.com
107134
108- **For binary installers : **
135+ **pip / PyPI wheel — verify SBOM attestation : **
109136
110137 .. code-block :: bash
111138
112- $ gh attestation verify --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/build.yml@refs/tags/v< version> \
113- --cert-oidc-issuer https://token.actions.githubusercontent.com \
114- dfetch-< version> -nix.deb
139+ $ gh attestation verify ~ /.local/lib/python3.x/site-packages/dfetch-< version> .dist-info/ \
140+ --repo dfetch-org/dfetch \
141+ --predicate-type https://cyclonedx.org/bom \
142+ --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/python-publish.yml@refs/tags/v< version> \
143+ --cert-oidc-issuer https://token.actions.githubusercontent.com
115144
116145 .. tab :: macOS
117146
118- **For pip installations : **
147+ **Binary installer — verify build provenance : **
119148
120149 .. code-block :: bash
121150
122- $ gh attestation verify --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/python-publish.yml@refs/tags/v< version> \
123- --cert-oidc-issuer https://token.actions.githubusercontent.com \
124- /usr/local/lib/python3.x/site-packages/dfetch-< version> .dist-info/
151+ $ gh attestation verify dfetch-< version> -osx.pkg \
152+ --repo dfetch-org/dfetch \
153+ --predicate-type https://slsa.dev/provenance/v1 \
154+ --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/build.yml@refs/tags/v< version> \
155+ --cert-oidc-issuer https://token.actions.githubusercontent.com
125156
126- **For binary installers : **
157+ **Binary installer — verify SBOM attestation : **
127158
128159 .. code-block :: bash
129160
130- $ gh attestation verify --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/build.yml@refs/tags/v< version> \
131- --cert-oidc-issuer https://token.actions.githubusercontent.com \
132- dfetch-< version> -osx.pkg
161+ $ gh attestation verify dfetch-< version> -osx.pkg \
162+ --repo dfetch-org/dfetch \
163+ --predicate-type https://cyclonedx.org/bom \
164+ --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/build.yml@refs/tags/v< version> \
165+ --cert-oidc-issuer https://token.actions.githubusercontent.com
166+
167+ **pip / PyPI wheel — verify SBOM attestation: **
168+
169+ .. code-block :: bash
170+
171+ $ gh attestation verify /usr/local/lib/python3.x/site-packages/dfetch-< version> .dist-info/ \
172+ --repo dfetch-org/dfetch \
173+ --predicate-type https://cyclonedx.org/bom \
174+ --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/python-publish.yml@refs/tags/v< version> \
175+ --cert-oidc-issuer https://token.actions.githubusercontent.com
133176
134177 .. tab :: Windows
135178
136- **For pip installations: **
179+ **Binary installer — verify build provenance: **
180+
181+ .. code-block :: powershell
182+
183+ > gh attestation verify dfetch- < version> - win.msi `
184+ -- repo dfetch- org/ dfetch `
185+ -- predicate- type https:// slsa.dev/ provenance/ v1 `
186+ -- cert- identity https:// github.com / dfetch- org/ dfetch/ .github/ workflows/ build.yml@refs / tags/ v< version> `
187+ -- cert- oidc- issuer https:// token.actions.githubusercontent.com
188+
189+ **Binary installer — verify SBOM attestation: **
137190
138191 .. code-block :: powershell
139192
140- > gh attestation verify -- cert- identity https:// github.com / dfetch- org/ dfetch/ .github/ workflows/ python- publish.yml@refs / tags/ v< version> `
141- -- cert- oidc- issuer https:// token.actions.githubusercontent.com `
142- $env: APPDATA \Python\Python3x\site- packages\dfetch- < version> .dist- info\
193+ > gh attestation verify dfetch- < version> - win.msi `
194+ -- repo dfetch- org/ dfetch `
195+ -- predicate- type https:// cyclonedx.org/ bom `
196+ -- cert- identity https:// github.com / dfetch- org/ dfetch/ .github/ workflows/ build.yml@refs / tags/ v< version> `
197+ -- cert- oidc- issuer https:// token.actions.githubusercontent.com
143198
144- **For binary installers : **
199+ **pip / PyPI wheel — verify SBOM attestation : **
145200
146201 .. code-block :: powershell
147202
148- > gh attestation verify -- cert- identity https:// github.com / dfetch- org/ dfetch/ .github/ workflows/ build.yml@refs / tags/ v< version> `
149- -- cert- oidc- issuer https:// token.actions.githubusercontent.com `
150- dfetch- < version> - win.msi
203+ > gh attestation verify $env: APPDATA \Python\Python3x\site- packages\dfetch- < version> .dist- info\ `
204+ -- repo dfetch- org/ dfetch `
205+ -- predicate- type https:// cyclonedx.org/ bom `
206+ -- cert- identity https:// github.com / dfetch- org/ dfetch/ .github/ workflows/ python- publish.yml@refs / tags/ v< version> `
207+ -- cert- oidc- issuer https:// token.actions.githubusercontent.com
151208
152209 See `GitHub artifact attestations `_ for details.
153210
0 commit comments