Verify a release
This is a narrative walkthrough of the same commands in
SECURITY.md. Run it whenever you
install a gdlc release, or before approving a PR that adds or re-pins a
cataloged plugin.
1. Download the release tarball
Section titled “1. Download the release tarball”gh release download v0.1.0 --repo modeled-information-format/gdlc \ --pattern 'gdlc-*.tar.gz'2. Verify SLSA provenance and the SBOM
Section titled “2. Verify SLSA provenance and the SBOM”TARBALL="gdlc-0.1.0.tar.gz"REPO="modeled-information-format/gdlc"
gh attestation verify "$TARBALL" --repo "$REPO" \ --predicate-type https://slsa.dev/provenance/v1
gh attestation verify "$TARBALL" --repo "$REPO" \ --predicate-type https://cyclonedx.org/bomBoth should print ✓ Verification succeeded!. If either fails, stop — do not
install the tarball.
3. Verify each seam-signed gate verdict
Section titled “3. Verify each seam-signed gate verdict”SEAM="modeled-information-format/.github/.github/workflows/reusable-attest-scan.yml"
for pt in shellcheck semgrep secrets manifest sast sca iac-license; do echo "=== ${pt} ===" gh attestation verify "$TARBALL" --owner modeled-information-format \ --signer-workflow "$SEAM" \ --predicate-type "https://modeled-information-format.github.io/attestations/${pt}/v1"doneEach predicate’s body carries the actual verdict — a passing signature proves the gate ran and recorded a result bound to this exact tarball digest, not that the result was clean. Read the predicate if you need the verdict itself, not just proof it was recorded.
4. Verify the catalog signature
Section titled “4. Verify the catalog signature”cosign verify-blob .claude-plugin/marketplace.json \ --bundle marketplace.json.cosign.bundle \ --certificate-identity-regexp '^https://github\.com/modeled-information-format/\.github/\.github/workflows/reusable-cosign-sign\.yml@' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com5. What to do on failure
Section titled “5. What to do on failure”Treat any verification failure — a non-zero exit from gh attestation verify
or cosign verify-blob — as a supply-chain integrity breach. Do not install
or use the artifact; open a security advisory (see SECURITY.md)
instead of a public issue.