Release Signing and Verification¶
KiCad MCP Pro uses artifact-specific release verification instead of relying on maintainer workstation signatures.
Policy¶
- Release artifacts are built by GitHub Actions from the canonical repository.
- Publishing jobs use protected environments and job-scoped permissions.
- Release evidence must be generated before publication when supported by the artifact type.
- Users should prefer package-manager provenance, GitHub artifact attestations, checksums, and container signatures over locally-built artifacts from untrusted forks.
Artifact verification mechanisms¶
| Artifact | Verification mechanism |
|---|---|
| Python wheel and sdist | SHA256 checksums, SBOM, GitHub artifact attestations, PyPI trusted publishing / attestations where supported |
| npm wrapper | npm provenance, SHA256 checksums, SBOM, GitHub artifact attestations |
| Protocol schemas package | npm provenance, SHA256 checksums, SBOM, GitHub artifact attestations |
| Docker image | digest-pinned image references, BuildKit provenance/SBOM, Trivy scan, and keyless cosign signature for GHCR image digests |
| GUI bundles | release workflow evidence and platform-specific release notes; platform code signing may be unavailable unless vendor credentials are configured |
Maintainer checklist¶
Before publishing a release:
- Confirm the release commit is on
mainand all required checks passed. - Confirm generated version metadata and package manifests agree.
- Confirm checksums, SBOMs, and attestations were created or that the exception is documented.
- Confirm package-manager publish jobs use trusted publishing, OIDC, or a protected environment.
- Confirm release notes do not overclaim KiCad or EDA sign-off coverage.
User verification guidance¶
Users should verify artifacts by:
- installing from official package registries or GHCR;
- using immutable version tags or image digests;
- checking release checksums when downloading artifacts manually;
- using
gh attestation verifyfor attested artifacts; - using
cosign verifyfor signed container images.
See release-integrity.md for command examples.