Release Verification
What this page covers
Verify a tagged Stigmem release before deploying. The release workflow publishes package-manager provenance for npm and PyPI, and attaches supply-chain evidence to the GHCR node image.
The release workflow publishes:
Cosign signature
Keyless Sigstore/cosign image signature.
SPDX SBOM
JSON SBOM as an OCI referrer.
SBOM attestation
SPDX JSON SBOM attestation.
BuildKit provenance
For the container build.
GPG signatures
Detached signatures attached to the GitHub release.
Rekor entries
Transparency-log entries created by the keyless signing flow.
Verify the GHCR imageโ
Install cosign and a registry inspection tool such as crane, then verify by digest rather than mutable tag.
IMAGE=ghcr.io/eidetic-labs/stigmem-node
VERSION=0.9.0a2
DIGEST="$(crane digest "$IMAGE:$VERSION")"
REF="$IMAGE@$DIGEST"
Verify that the image signature was issued by GitHub Actions for this repository and release workflow:
cosign verify \
--certificate-identity-regexp 'https://github.com/eidetic-labs/stigmem/.github/workflows/publish.yml@refs/tags/v.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
"$REF"
Verify the SBOM attestation:
cosign verify-attestation \
--type spdxjson \
--certificate-identity-regexp 'https://github.com/eidetic-labs/stigmem/.github/workflows/publish.yml@refs/tags/v.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
"$REF"
Verify the BuildKit provenance attestation:
cosign verify-attestation \
--type slsaprovenance \
--certificate-identity-regexp 'https://github.com/eidetic-labs/stigmem/.github/workflows/publish.yml@refs/tags/v.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
"$REF"
Retrieve the attached SBOM if you need to archive it with a change ticket or scan it with your own tooling:
cosign download sbom "$REF" > stigmem-node.spdx.json
Check Rekor evidenceโ
Keep the cosign output with your release approval record.
It includes the certificate and transparency-log metadata needed to trace the release event. If public Rekor is temporarily unavailable, follow R-REKOR-UNAVAILABLE. Do not deploy a new production release until signature and attestation verification succeeds.
Verify package provenanceโ
For npm, install the exact package version from the GitHub release notes and verify the package provenance in npm points back to eidetic-labs/stigmem, publish.yml, and the release tag.
npm view @eidetic-labs/stigmem-ts@0.9.0-alpha.2 dist.integrity dist.tarball
For PyPI packages, use the exact versions from the release notes and verify that the PyPI project publishing metadata shows the GitHub Trusted Publisher for eidetic-labs/stigmem and .github/workflows/publish.yml.
python -m pip download --no-deps --dest /tmp/stigmem-release stigmem-py==0.9.0a2
python -m pip hash /tmp/stigmem-release/*
Store the resulting hashes in your own deployment record if you require environment-local package pinning.
Verify GPG release signaturesโ
The GitHub release may attach detached ASCII-armored GPG signatures for release
artifacts, plus stigmem-release-signing-key.asc. These signatures are created
and uploaded manually by the release maintainer after publication.
Import the release public key, download the artifact and matching .asc
signature, then verify:
gpg --import stigmem-release-signing-key.asc
gpg --verify stigmem-node-sbom.spdx.json.asc stigmem-node-sbom.spdx.json
gpg --verify stigmem-node-image-digest.txt.asc stigmem-node-image-digest.txt
gpg --verify <artifact>.asc <artifact>
Treat a failed GPG verification as a release-blocking integrity failure. Do not mirror or deploy an artifact whose detached signature does not verify.
Reproducibility expectationsโ
The signed container provenance is the supported reproducibility evidence for the future stable-readiness line.
It identifies the source repository, release tag, commit, workflow, Dockerfile, and builder inputs used for the released image.
Arbitrary later rebuilds may not produce the same byte-for-byte image digest if upstream base image digests, package indexes, or toolchains have moved. Treat a digest mismatch from a later local rebuild as an investigation signal, then compare the signed provenance and SBOM before deployment.