Verify a release — Olivares AI

Prove an Olivares AI release is the one we published — verify its signature, SLSA provenance, SBOM and OpenVEX attestations, fully offline with no network

Olivares AI governs the agents on your infrastructure, so its own supply chain is part of your trust model. Before you run a release, prove it is the one we published. Every release ships the artifacts you need to verify that cryptographically — and the verification can run with no network at all, which is the path for disconnected and air-gapped estates.

Do not pipe an installer into a shell. Download the artifacts, verify them, then run them. The steps below are how.

What ships with a release

A tagged release carries the binary archives plus everything needed to attest them:

Artifact	What it is
`checksums.txt` (+ `.sig`, `.pem`)	SHA-256 of every artifact, with a cosign signature and (keyless) certificate
`*_<os>_<arch>.tar.gz`	the release archive(s) for linux/darwin × amd64/arm64
`.spdx.sbom.json` / `.cdx.sbom.json`	per-archive SBOM, shipped in both SPDX and CycloneDX form
`*.sbom.sigstore.json`	the SPDX SBOM wrapped as a signed in-toto attestation over the archive
`*.vex.sigstore.json`	an OpenVEX statement as a signed in-toto attestation over the archive
`*.intoto.jsonl`	SLSA build provenance (generated by `slsa-github-generator`)
container image	published to a registry, signed and attested, pinned by digest

The attestations reference each artifact by its bytes, never by a mutable tag.

The one-command path

The repository ships scripts/verify-release.sh. Run it from the directory holding the downloaded files; it walks the whole chain and reports each step:

# Keyless (Sigstore) — default. Needs network to the transparency log (Rekor).
scripts/verify-release.sh

# Key-based — verify against the project's public key (air-gap friendly).
scripts/verify-release.sh --key cosign.pub

# Fully offline — key-based, no transparency-log network at all.
scripts/verify-release.sh --key cosign.pub --offline

# Pin SLSA provenance to a specific source tag.
scripts/verify-release.sh --source-tag <version>

How the network is used depends on the signing model. Keyless signatures carry a Rekor transparency-log entry, so the default path reaches Rekor (you can pass --offline to use a bundled entry instead). Key-based signatures are produced without a Rekor entry, so the script adds --insecure-ignore-tlog and contacts nothing. The --key cosign.pub --offline combination is the genuinely disconnected path.

The script requires cosign and sha256sum; slsa-verifier is optional. Steps whose artifacts (or whose verifier) are absent are skipped with a clear note rather than failing — so it works on a minimal release and fully verifies a complete one.

What it checks, step by step

If you prefer to run the checks by hand, this is the chain. Substitute <archive> with each *.tar.gz.

1. Signature over the checksums

Verifying checksums.txt transitively trusts every artifact listed in it. Keyless verification pins the signing identity to the project’s GitHub Actions OIDC identity:

cosign verify-blob \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp '^https://github.com/olivaresai/olivares' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

Key-based instead uses cosign verify-blob --key cosign.pub --signature checksums.txt.sig --insecure-ignore-tlog checksums.txt.

2. Artifact integrity

Re-compute every artifact’s hash against the now-trusted manifest:

sha256sum --check checksums.txt

3. SBOM attestation (SPDX)

cosign verify-blob-attestation --type spdxjson \
  --bundle <archive>.sbom.sigstore.json --new-bundle-format \
  --check-claims <archive>

Add --key cosign.pub --insecure-ignore-tlog (instead of the identity flags) for the offline path. The CycloneDX SBOM (*.cdx.sbom.json) ships alongside for tooling that prefers it.

4. OpenVEX attestation

The project’s vulnerability statement, verified the same way:

cosign verify-blob-attestation --type openvex \
  --bundle <archive>.vex.sigstore.json --new-bundle-format \
  --check-claims <archive>

5. SLSA provenance

slsa-verifier verify-artifact <archive> \
  --provenance-path <provenance>.intoto.jsonl \
  --source-uri github.com/olivaresai/olivares

Verifying the container image

The keyless image path proves the image against the same GitHub Actions identity but needs network. Always resolve and deploy by digest, never by a mutable tag:

IMAGE=ghcr.io/olivaresai/controlplane
DIGEST="$(crane digest "$IMAGE:<version>")"
REF="$IMAGE@$DIGEST"

cosign verify "$REF" \
  --certificate-identity-regexp '^https://github.com/olivaresai/olivares' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

For a fully disconnected estate, use the air-gap bundle instead: it carries the image, its signatures and attestations, and a cosign.pub, and verifies offline with cosign verify --local-image <dir> --insecure-ignore-tlog --key cosign.pub. The self-host guide covers building and mirroring that bundle.

What verification does and does not prove

Cryptographic verification proves provenance and integrity: that the artifact is the exact, unmodified output our pipeline built and signed. It does not certify the software’s behaviour or any compliance posture. Olivares AI is pre-1.0 and is designed toward — not certified against — frameworks like SOC 2 and ISO 27001; see Honesty and limits for what that distinction means in practice.

Verification is also only as complete as the attestations a given release actually published. The verifier reports each step it runs; if a build omits an artifact, the corresponding step has nothing to check. The standard release attaches the SBOM, OpenVEX and SLSA artifacts named above.