Skip to content

v0.1.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 20 Dec 12:34
· 33 commits to main since this release
v0.1.0
1a04486
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

tpm-trust v0.1.0

What's Changed

This release contains the tpm-trust binary and OCI images built from commit 1a04486f28e69d7be4e3c990d679831e742025ab.

Artifacts

  • tpm-trust_$VERSION_$OS_$ARCH.$EXTENSION - CLI binaries for various platforms (stored in archives)
  • tpm-trust_$VERSION_$OS_$ARCH.$EXTENSION.sbom.json - SBOMs for the binaries in SPDX format
  • checksums.txt - SHA-256 checksums of all artifacts
  • checksums.txt.sigstore.json - Sigstore signature bundle for checksum verification

Verification

Important

If you are not familiar with the concepts around software supply chain security,
(eg. build provenance attestation, keyless signature, etc.), please read the following resources first:

For complete security verification, follow this two-step process:

Step 1: Verify Integrity with Cosign

First, verify the integrity of the checksums file using Cosign:

Tip

Make sure to use cosign >= v2.4.3 to support the Sigstore bundle format.

# Verify the checksums signature
cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/loicsikidi/tpm-trust/.github/workflows/release.yaml@refs/tags/v0.1.0' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

# Verify any artifact matches the checksum
sha256sum -c checksums.txt

Step 2: Verify Provenance with GitHub CLI

Once the checksum integrity is established, verify the provenance using GitHub's attestation system:

# Verify the archive
gh attestation verify tpm-trust_0.1.0_linux_amd64.tar.gz --repo loicsikidi/tpm-trust

Changelog

Generated with GoReleaser 🚀

Contributors

loicsikidi
Assets 8
Loading