sbom-diff-and-risk now has two GitHub-hosted provenance surfaces for its packaged wheel and source distribution:
- workflow-artifact attestations for the files built by
.github/workflows/sbom-diff-and-risk-ci.yml - GitHub Release verification for version-tag releases that publish those same built files as release assets
This document is about the second surface: verifying a GitHub Release and a downloaded release asset.
This page is only about the sbom-diff-and-risk tool's own GitHub Releases. If you want the quick "which verification page do I need?" guide, start with verification.md.
v1.0.0 is the stable GitHub Release contract and is marked GitHub Latest.
Production PyPI publishing remains deferred as a separate contract.
For v1.0.0, stability applies to the CLI, report schemas, policy decision
examples, evidence-confidence labels, reviewer case, and GitHub Release asset
verification path. It does not claim production PyPI availability.
The tag workflow marks rc tags as prereleases and not Latest. It explicitly
marks final tags such as v1.0.0 as GitHub Latest.
Release assets produced by the updated workflow also include a deterministic SHA256 checksum manifest named sbom-diff-and-risk-SHA256SUMS.txt. The manifest is written with filenames sorted in a stable order. It is not a separate provenance system; it is a local byte-integrity check that helps reviewers confirm downloaded wheel and source distribution files match the hashes published with the same GitHub Release.
For repeat builds of the same commit, the workflow sets SOURCE_DATE_EPOCH to
the tagged commit timestamp. It also normalizes gzip and tar timestamps in the
source distribution before checksums and attestations are generated. This
removes build-clock variance from the wheel and source distribution while
preserving package contents.
For version tags matching v*, the sbom-diff-and-risk-ci workflow:
- sets
SOURCE_DATE_EPOCHfrom the tagged commit timestamp - builds the wheel and source distribution in
build-and-attest - normalizes source-distribution gzip and tar timestamps
- generates
dist/sbom-diff-and-risk-SHA256SUMS.txtwith SHA256 hashes for the built.whland.tar.gz - uploads the distributions and checksum manifest as the workflow artifact
sbom-diff-and-risk-dist - generates a workflow artifact attestation for the built distribution files
- downloads that same workflow artifact in
publish-release-assets - publishes those exact
.whland.tar.gzfiles plus the checksum manifest as GitHub Release assets for the matching tag
This intentionally reuses the same workflow-built bytes for both the workflow artifact and the release asset surfaces. It does not add PyPI publishing or a separate rebuild-only release pipeline.
The workflow artifact attestation subject remains the built wheel and source distribution. The checksum manifest verifies hashes for those files, but the manifest itself is not presented as a replacement for artifact attestation.
GitHub Release verification is distinct from workflow artifact attestation:
gh attestation verifychecks a file against the workflow artifact attestation produced bybuild-and-attestgh release verifychecks that a GitHub Release has a valid release attestationgh release verify-assetchecks that a local file exactly matches an attested asset from that release
Release verification only works for immutable releases. Per GitHub's release integrity and immutable release documentation, immutable releases automatically generate a release attestation and protect release assets from modification after publication.
If immutable releases are not enabled for the repository, the release may still contain assets, but gh release verify and gh release verify-asset are not the source of truth. In that case, use the workflow-artifact attestation flow from self-provenance.md.
Use this path after a successful version-tag run produced by the updated workflow.
- Open the repository's Releases page.
- Open the release for the version tag you want to verify.
- Check whether the release is immutable before relying on release verification:
gh release view <tag> --repo stacknil/scientific-computing-toolkit --json isImmutable,assets,url- Confirm the release includes the packaged assets:
sbom_diff_and_risk-<version>-py3-none-any.whlsbom_diff_and_risk-<version>.tar.gzsbom-diff-and-risk-SHA256SUMS.txt
- If the repository uses immutable releases, confirm GitHub shows
Immutableon the release page. - Download the release assets locally.
- Verify the release itself with GitHub CLI:
gh release verify <tag> --repo stacknil/scientific-computing-toolkit- Verify the downloaded asset against the release attestation:
gh release verify-asset <tag> path/to/sbom_diff_and_risk-<version>-py3-none-any.whl \
--repo stacknil/scientific-computing-toolkitIf isImmutable is false, the release asset can still be downloaded, but the supported provenance path for this repository remains the workflow-artifact attestation flow from self-provenance.md.
You can inspect structured output as JSON:
gh release verify <tag> \
--repo stacknil/scientific-computing-toolkit \
--format jsongh release verify-asset <tag> path/to/sbom_diff_and_risk-<version>.tar.gz \
--repo stacknil/scientific-computing-toolkit \
--format jsonDownload the wheel, source distribution, and checksum manifest from the same release:
mkdir -p release-assets
gh release download <tag> \
--repo stacknil/scientific-computing-toolkit \
--pattern 'sbom_diff_and_risk-*' \
--pattern 'sbom-diff-and-risk-SHA256SUMS.txt' \
--dir release-assetsOn Linux or macOS, verify both distribution files with sha256sum:
cd release-assets
sha256sum --check sbom-diff-and-risk-SHA256SUMS.txtOn Windows PowerShell, verify the same manifest with Get-FileHash:
Set-Location release-assets
Get-Content .\sbom-diff-and-risk-SHA256SUMS.txt | ForEach-Object {
$expected, $file = $_ -split '\s+', 2
$actual = ((Get-FileHash -Algorithm SHA256 -LiteralPath $file).Hash).ToLowerInvariant()
if ($actual -ne $expected) {
throw "Checksum mismatch for $file"
}
"$file OK"
}A passing checksum check means the local downloaded wheel and source distribution match the hashes in the release manifest. It does not by itself prove who built or uploaded the artifacts, and the manifest itself is not the attested subject. Pair checksum verification with workflow artifact attestation or immutable release verification when you need provenance.
gh release verify-assetverifies a local file path against a release attestation. It does not verify a workflow artifact download directly unless that file is also a release asset.sbom-diff-and-risk-SHA256SUMS.txtchecks local file integrity against the release manifest. It does not replace provenance verification.- GitHub's generated source-code ZIP and tarball downloads are not covered by
gh release verify-asset. - A successful release verification does not replace the workflow-artifact attestation story; it complements it.
- This repository now has a separate TestPyPI Trusted Publishing readiness workflow, but production PyPI publishing remains deferred. For the production decision gate, publisher identity, future workflow shape, and provenance boundary, see pypi-production-publishing-decision.md.