HiveBrain v1.2.0
Get Started
← Back to all entries
snippetbashTip

gh attestation — Download and verify artifact attestations to ensure their integrity and provenance. More information

Submitted by: @import:tldr-pages··
0
Viewed 0 times
clitldrgh attestationcommand-line
gh attestationcommandattestationsandartifactclidownloadverify

Problem

How to use the gh attestation command: Download and verify artifact attestations to ensure their integrity and provenance. More information: <https://cli.github.com/manual/gh_attestation>.

Solution

gh attestation — Download and verify artifact attestations to ensure their integrity and provenance. More information: <https://cli.github.com/manual/gh_attestation>.

Download attestations for a local file associated with a specific repository:
gh {{[at|attestation]}} download {{path/to/artifact.bin}} {{[-R|--repo]}} {{owner}}/{{repository}}


Download attestations for an OCI container image associated with an organization:
gh {{[at|attestation]}} download oci://{{image_uri}} {{[-o|--owner]}} {{organization_name}}


Verify a local artifact online against attestations from a specific repository:
gh {{[at|attestation]}} verify {{path/to/artifact.bin}} {{[-R|--repo]}} {{owner}}/{{repository}}


Verify an artifact, requiring it was signed by a specific reusable workflow for enhanced security:
gh {{[at|attestation]}} verify {{path/to/artifact.bin}} {{[-o|--owner]}} {{organization_name}} --signer-workflow {{owner}}/{{repository}}/{{path/to/workflow.yml}}


Verify an artifact and output the detailed verification results as JSON for use in policy engines:
gh {{[at|attestation]}} verify {{path/to/artifact.bin}} {{[-o|--owner]}} {{organization_name}} --format json


Perform a fully offline verification using a downloaded bundle and a custom trusted root file:
gh {{[at|attestation]}} verify {{path/to/artifact.bin}} {{[-b|--bundle]}} {{path/to/bundle.jsonl}} --custom-trusted-root {{path/to/trusted_root.jsonl}}


Save the trusted root of signing certificates to a file for offline verification:
gh {{[at|attestation]}} trusted-root > {{path/to/trusted_root.jsonl}}

Code Snippets

Download attestations for a local file associated with a specific repository

gh {{[at|attestation]}} download {{path/to/artifact.bin}} {{[-R|--repo]}} {{owner}}/{{repository}}

Download attestations for an OCI container image associated with an organization

gh {{[at|attestation]}} download oci://{{image_uri}} {{[-o|--owner]}} {{organization_name}}

Verify a local artifact online against attestations from a specific repository

gh {{[at|attestation]}} verify {{path/to/artifact.bin}} {{[-R|--repo]}} {{owner}}/{{repository}}

Verify an artifact, requiring it was signed by a specific reusable workflow for enhanced security

gh {{[at|attestation]}} verify {{path/to/artifact.bin}} {{[-o|--owner]}} {{organization_name}} --signer-workflow {{owner}}/{{repository}}/{{path/to/workflow.yml}}

Verify an artifact and output the detailed verification results as JSON for use in policy engines

gh {{[at|attestation]}} verify {{path/to/artifact.bin}} {{[-o|--owner]}} {{organization_name}} --format json

Context

tldr-pages: common/gh attestation

Revisions (0)

No revisions yet.