Release Integrity¶
ZapTrace release integrity relies on GitHub Releases, workflow logs, SBOM generation, and artifact attestations.
What to verify¶
For an official release, verify:
- The release tag matches the package version.
- The release was created by the repository release workflow.
- Release assets are associated with the release tag.
- SBOM/provenance or attestation artifacts are present when the workflow produced them.
- The changelog describes user-visible and security-relevant changes.
Verify with GitHub CLI¶
gh release view v0.3.0 --repo oaslananka/zaptrace
gh release download v0.3.0 --repo oaslananka/zaptrace --dir /tmp/zaptrace-release
Verify artifact attestation¶
When GitHub artifact attestations are available, use GitHub's attestation verification tooling for the release assets. The expected repository identity is:
The expected workflow is the repository release workflow under .github/workflows/release.yml.
Hashes and checksums¶
If a release includes a checksum manifest, compare local artifact hashes against that manifest. If a release does not include a checksum manifest, rely on GitHub release transport security plus available attestations/SBOM and track checksum-manifest automation as a release hardening improvement.
Non-claims¶
Release integrity verifies artifact origin and tamper evidence. It does not prove that generated hardware is safe, manufacturable, compliant, or correct.