Skip to content

Verify a release

This is a narrative walkthrough of the same commands in SECURITY.md. Run it whenever you install a gdlc release, or before approving a PR that adds or re-pins a cataloged plugin.

Terminal window
gh release download v0.1.0 --repo modeled-information-format/gdlc \
--pattern 'gdlc-*.tar.gz'
Terminal window
TARBALL="gdlc-0.1.0.tar.gz"
REPO="modeled-information-format/gdlc"
gh attestation verify "$TARBALL" --repo "$REPO" \
--predicate-type https://slsa.dev/provenance/v1
gh attestation verify "$TARBALL" --repo "$REPO" \
--predicate-type https://cyclonedx.org/bom

Both should print ✓ Verification succeeded!. If either fails, stop — do not install the tarball.

Terminal window
SEAM="modeled-information-format/.github/.github/workflows/reusable-attest-scan.yml"
for pt in shellcheck semgrep secrets manifest sast sca iac-license; do
echo "=== ${pt} ==="
gh attestation verify "$TARBALL" --owner modeled-information-format \
--signer-workflow "$SEAM" \
--predicate-type "https://modeled-information-format.github.io/attestations/${pt}/v1"
done

Each predicate’s body carries the actual verdict — a passing signature proves the gate ran and recorded a result bound to this exact tarball digest, not that the result was clean. Read the predicate if you need the verdict itself, not just proof it was recorded.

Terminal window
cosign verify-blob .claude-plugin/marketplace.json \
--bundle marketplace.json.cosign.bundle \
--certificate-identity-regexp '^https://github\.com/modeled-information-format/\.github/\.github/workflows/reusable-cosign-sign\.yml@' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com

Treat any verification failure — a non-zero exit from gh attestation verify or cosign verify-blob — as a supply-chain integrity breach. Do not install or use the artifact; open a security advisory (see SECURITY.md) instead of a public issue.