GitHub's attestations are Sigstore bundles under the hood. You can verify them using any Sigstore client. Here are a few options that support verifying GitHub attestations:
To install sigstore-python, use the following command:
python -m pip install sigstoreTo verify an artifact using sigstore-python, run the following command:
sigstore verify github <artifact> --bundle <attestation.json> --repository <repository>Replace <artifact> with the name of the artifact you want to verify, <attestation.json> with the path to your attestation file, and <repository> with the GitHub repository in the format owner/repo.
Here’s an example of how to use sigstore-python to verify an artifact:
sigstore verify github some-artifact --bundle attestation.json --repository foo/barThis command verifies some-artifact against attestation.json, potentially downloaded via gh attestation download, using the GitHub repository identity foo/bar.
You can also perform the verification directly with GitHub CLI:
-
Download the attestation:
gh attestation download
-
Verify the downloaded attestation:
gh attestation verify
This method allows you to pass the downloaded attestation into gh attestation verify without needing a subsequent online operation.
You can share these instructions openly. For any updates or further assistance, refer to the Sigstore community or the GitHub Community.