Verification
Verify release assets and SBOMs with Sigstore Cosign.
Phase 1 uses:
- GitHub Releases for distribution (
cargo-dist) - Keyless signing with Sigstore Cosign
- SBOM generation (SPDX-JSON)
Verify Release Asset Signatures
Download a release asset and its .sig and .crt files. Then:
cosign verify-blob \
--certificate <asset>.crt \
--signature <asset>.sig \
<asset>Verify SBOM
cosign verify-blob \
--certificate sbom.spdx.json.crt \
--signature sbom.spdx.json.sig \
sbom.spdx.jsonNotes
Cosign keyless verification checks the signing identity in the certificate. Ensure it matches this repository and the expected workflow context.