gh-release-verify-asset - Verify that a given asset originated from a release
NAME SYNOPSIS DESCRIPTION OPTIONS OPTIONS INHERITED FROM PARENT COMMANDS EXIT CODES EXAMPLE SEE ALSONAME
gh-release-verify-asset - Verify that a given asset originated from a release
SYNOPSIS
gh release verify-asset [<tag>] <file-path> [flags]
DESCRIPTION
Verify that a given asset file originated from a specific GitHub Release using cryptographically signed attestations.
An attestation is a claim made by GitHub regarding a release and its assets.
|
This command checks that the asset you provide matches a valid attestation for the specified release (or the latest release, if no tag is given). |
It ensures the asset’s integrity by validating that the asset’s digest matches the subject in the attestation and that the attestation is associated with the release.
OPTIONS
--format <string>
Output format: {json}
-q, --jq <expression>
Filter JSON output using a jq expression
-t, --template <string>
Format JSON output using a Go template; see "gh help formatting"
OPTIONS INHERITED FROM PARENT COMMANDS
-R, --repo <[HOST/]OWNER/REPO>
Select another repository using the [HOST/]OWNER/REPO format
EXIT CODES
0: Successful execution
1: Error
2: Command canceled
4: Authentication required
NOTE: Specific commands may have additional exit codes. Refer to the command’s help for more information.
EXAMPLE
# Verify an
asset from the latest release
$ gh release verify-asset ./dist/my-asset.zip
# Verify an
asset from a specific release tag
$ gh release verify-asset v1.2.3 ./dist/my-asset.zip
# Verify an
asset from a specific release tag and output the attestation
in JSON format
$ gh release verify-asset v1.2.3 ./dist/my-asset.zip
--format json
SEE ALSO
gh-release(1)