Verify a Release
Every published Caracal release is cryptographically signed and verifiable. Verify a download before you install or deploy it, especially when you fetch archives or images directly instead of through the installer.
How Releases Are Signed
Section titled “How Releases Are Signed”Caracal signs releases with GitHub Artifact Attestations, built on the Sigstore keyless model:
- Signatures are produced in the release workflow with short-lived keys issued to the workflow’s OpenID Connect identity. No long-lived private signing key exists, so no signing key is stored on the servers that distribute the artifacts.
- The public trust root is Sigstore’s transparency log. The verifier confirms the artifact was built by the
Garudex-Labs/caracalrelease workflow rather than checking a static public key you download separately. - Release archives are additionally checksummed in
SHA256SUMS, npm packages publish with provenance, and container images carry provenance and SBOM attestations.
Prerequisites
Section titled “Prerequisites”Install the GitHub CLI and authenticate it:
gh auth logingh attestation verify needs network access to the Sigstore transparency log on first use.
Verify CLI and Console Archives
Section titled “Verify CLI and Console Archives”Download the archives, SHA256SUMS, and installers from the release page, then verify checksums and provenance:
# 1. Confirm archive integrity against the published checksums.sha256sum --check SHA256SUMS
# 2. Confirm each archive was built by the Caracal release workflow.gh attestation verify caracal-runtime-*.tar.gz --repo Garudex-Labs/caracalgh attestation verify caracal-console-*.tar.gz --repo Garudex-Labs/caracalgh attestation verify exits non-zero and prints the failing policy if the signature, identity, or transparency-log entry does not match. The bundled installers run the same gh attestation verify ... --repo Garudex-Labs/caracal check automatically; pass --no-verify-provenance (Unix) or -NoVerifyProvenance (Windows) only when you must skip it.
Verify Container Images
Section titled “Verify Container Images”Pull the image by digest, then verify its build provenance:
gh attestation verify oci://ghcr.io/garudex-labs/caracal-go:vYYYY.MM.DD \ --repo Garudex-Labs/caracalInspect the attached SBOM and provenance attestations with the registry tooling:
docker buildx imagetools inspect ghcr.io/garudex-labs/caracal-go:vYYYY.MM.DD \ --format '{{ json .Provenance }}'Verify Published Packages
Section titled “Verify Published Packages”npm packages publish with provenance; verify before installing:
npm audit signaturesIf Verification Fails
Section titled “If Verification Fails”Do not install or run the artifact. Re-download from the official release page, confirm you used the correct release tag, and if verification still fails, report it privately.