How do I verify supply-chain attestations?
Verify the release artifact with gh attestation verify before promotion, and use cosign verify-attestation for Sigstore-backed artifacts or containers.
- knowledge-base
- attestation
- supply-chain
- enterprise
Verify the release artifact with gh attestation verify before promotion, and use cosign verify-attestation for Sigstore-backed artifacts or containers.
Recommended Actions
- run gh attestation verify on the release artifact
- run cosign verify-attestation for upstream image or artifact checks
Why this matters
Attestation checks give you provenance before you trust a build.
Structured Answers
How do I verify supply-chain attestations?
Verify the release artifact with gh attestation verify before promotion, and use cosign verify-attestation for Sigstore-backed artifacts or containers.
What is the first recommended action for How do I verify supply-chain attestations?
run gh attestation verify on the release artifact