Przejdź do treści

Guides

Verify a release

Prove an Olivares AI release is the one we published — verify its signature, SLSA provenance, SBOM and OpenVEX attestations, fully offline with no network

Ta dokumentacja jest obecnie dostępna wyłącznie w języku angielskim.

Olivares AI governs the agents on your infrastructure, so its own supply chain is part of your trust model. Before you run a release, prove it is the one we published. Every release ships the artifacts you need to verify that cryptographically — and the verification can run with no network at all, which is the path for disconnected and air-gapped estates.

Do not pipe an installer into a shell. Download the artifacts, verify them, then run them. The steps below are how.

What ships with a release

A tagged release carries the binary archives plus everything needed to attest them:

ArtifactWhat it is
checksums.txt (+ .sig, .pem)SHA-256 of every artifact, with a cosign signature and (keyless) certificate
*_<os>_<arch>.tar.gzthe release archive(s) for linux/darwin × amd64/arm64
*.spdx.sbom.json / *.cdx.sbom.jsonper-archive SBOM, shipped in both SPDX and CycloneDX form
*.sbom.sigstore.jsonthe SPDX SBOM wrapped as a signed in-toto attestation over the archive
*.vex.sigstore.jsonan OpenVEX statement as a signed in-toto attestation over the archive
*.intoto.jsonlSLSA build provenance (generated by slsa-github-generator)
container imagepublished to a registry, signed and attested, pinned by digest

The attestations reference each artifact by its bytes, never by a mutable tag.

The one-command path

The repository ships scripts/verify-release.sh. Run it from the directory holding the downloaded files; it walks the whole chain and reports each step:

# Keyless (Sigstore) — default. Needs network to the transparency log (Rekor).
scripts/verify-release.sh

# Key-based — verify against the project's public key (air-gap friendly).
scripts/verify-release.sh --key cosign.pub

# Fully offline — key-based, no transparency-log network at all.
scripts/verify-release.sh --key cosign.pub --offline

# Pin SLSA provenance to a specific source tag.
scripts/verify-release.sh --source-tag <version>

How the network is used depends on the signing model. Keyless signatures carry a Rekor transparency-log entry, so the default path reaches Rekor (you can pass --offline to use a bundled entry instead). Key-based signatures are produced without a Rekor entry, so the script adds --insecure-ignore-tlog and contacts nothing. The --key cosign.pub --offline combination is the genuinely disconnected path.

The script requires cosign and sha256sum; slsa-verifier is optional. Steps whose artifacts (or whose verifier) are absent are skipped with a clear note rather than failing — so it works on a minimal release and fully verifies a complete one.

What it checks, step by step

If you prefer to run the checks by hand, this is the chain. Substitute <archive> with each *.tar.gz.

1. Signature over the checksums

Verifying checksums.txt transitively trusts every artifact listed in it. Keyless verification pins the signing identity to the project’s GitHub Actions OIDC identity:

cosign verify-blob \
  --certificate checksums.txt.pem \
  --signature checksums.txt.sig \
  --certificate-identity-regexp '^https://github.com/olivaresai/olivares' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

Key-based instead uses cosign verify-blob --key cosign.pub --signature checksums.txt.sig --insecure-ignore-tlog checksums.txt.

2. Artifact integrity

Re-compute every artifact’s hash against the now-trusted manifest:

sha256sum --check checksums.txt

3. SBOM attestation (SPDX)

cosign verify-blob-attestation --type spdxjson \
  --bundle <archive>.sbom.sigstore.json --new-bundle-format \
  --check-claims <archive>

Add --key cosign.pub --insecure-ignore-tlog (instead of the identity flags) for the offline path. The CycloneDX SBOM (*.cdx.sbom.json) ships alongside for tooling that prefers it.

4. OpenVEX attestation

The project’s vulnerability statement, verified the same way:

cosign verify-blob-attestation --type openvex \
  --bundle <archive>.vex.sigstore.json --new-bundle-format \
  --check-claims <archive>

5. SLSA provenance

slsa-verifier verify-artifact <archive> \
  --provenance-path <provenance>.intoto.jsonl \
  --source-uri github.com/olivaresai/olivares

Verifying the container image

The keyless image path proves the image against the same GitHub Actions identity but needs network. Always resolve and deploy by digest, never by a mutable tag:

IMAGE=ghcr.io/olivaresai/controlplane
DIGEST="$(crane digest "$IMAGE:<version>")"
REF="$IMAGE@$DIGEST"

cosign verify "$REF" \
  --certificate-identity-regexp '^https://github.com/olivaresai/olivares' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

For a fully disconnected estate, use the air-gap bundle instead: it carries the image, its signatures and attestations, and a cosign.pub, and verifies offline with cosign verify --local-image <dir> --insecure-ignore-tlog --key cosign.pub. The self-host guide covers building and mirroring that bundle.

What verification does and does not prove

Cryptographic verification proves provenance and integrity: that the artifact is the exact, unmodified output our pipeline built and signed. It does not certify the software’s behaviour or any compliance posture. Olivares AI is pre-1.0 and is designed toward — not certified against — frameworks like SOC 2 and ISO 27001; see Honesty and limits for what that distinction means in practice.

Verification is also only as complete as the attestations a given release actually published. The verifier reports each step it runs; if a build omits an artifact, the corresponding step has nothing to check. The standard release attaches the SBOM, OpenVEX and SLSA artifacts named above.