probectl /docs GitHub ↗

Verifying release artifacts

What this is

Before you run a probectl binary or trust a release, you want proof that this repository's release workflow built it — not a fork, not a tampered copy. This page is how you check that proof.

Every released binary and the checksums.txt manifest are signed with cosign keyless (Sigstore). "Keyless" means there is no long-lived private key to leak: the release workflow signs using its GitHub OIDC identity, Sigstore's Fulcio issues a short-lived certificate bound to that identity (the .pem next to each artifact), and the signature is recorded in the public Rekor transparency log. What you verify, then, is the identity that signed — that the artifact came from imfeelingtheagi/probectl's release.yml running on a release tag — and nothing else.

Each release ships, per artifact: the artifact itself, <artifact>.sig, <artifact>.pem, plus one checksums.txt (which is itself signed the same way).

Verify (copy-paste)

# 0. Install cosign: https://docs.sigstore.dev/cosign/system_config/installation/
TAG=v0.1.0
BIN=probectl-agent_${TAG}_linux_amd64
BASE=https://github.com/imfeelingtheagi/probectl/releases/download/${TAG}

curl -fsSLO ${BASE}/${BIN} -O ${BASE}/${BIN}.sig -O ${BASE}/${BIN}.pem \
     -O ${BASE}/checksums.txt -O ${BASE}/checksums.txt.sig -O ${BASE}/checksums.txt.pem

# 1. The signature must chain to THIS repo's release workflow on a release tag.
cosign verify-blob \
  --certificate ${BIN}.pem \
  --signature   ${BIN}.sig \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp \
    "^https://github.com/imfeelingtheagi/probectl/\.github/workflows/release\.yml@refs/tags/" \
  ${BIN}

# 2. Same check for the manifest, then verify the binary's checksum against it.
cosign verify-blob \
  --certificate checksums.txt.pem \
  --signature   checksums.txt.sig \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp \
    "^https://github.com/imfeelingtheagi/probectl/\.github/workflows/release\.yml@refs/tags/" \
  checksums.txt
sha256sum --ignore-missing -c checksums.txt

Both cosign verify-blob calls print Verified OK, and sha256sum -c prints <artifact>: OK. Anything else: do not run the binary.

What the identity pin actually proves

The --certificate-identity-regexp says: Fulcio bound this signing certificate to the workflow release.yml in imfeelingtheagi/probectl, running for a refs/tags/... ref, authenticated by GitHub's OIDC issuer. A fork, a different workflow in the same repo, or a re-signed binary all fail that regexp match — which is exactly the guarantee you want.

SBOM

Each release also publishes probectl_<tag>_sbom.spdx.json — an SPDX-JSON software bill of materials covering the source tree and every Go and npm dependency, generated by syft at release time. It ships with its own .sig and .pem and verifies with the same cosign verify-blob invocation as any binary above. Feed it straight into your SCA / license tooling.

Container images carry their SBOM and build provenance differently: they are pushed with SLSA provenance + SBOM attestations (docker buildx with provenance: true, sbom: true). Inspect them with:

docker buildx imagetools inspect ghcr.io/imfeelingtheagi/probectl-control:<tag>

The release self-checks too

After signing, the release workflow runs cosign verify-blob on its own artifacts (the exact check above) before publishing. A release whose artifacts do not verify simply does not publish — so a published release is, by construction, a verifiable one.

Rendered live from github.com/imfeelingtheagi/probectl — found a mistake? edit this page.