Release verification
ReaperCI release assets are reproducible inputs for Linux amd64 and arm64, not trust-on-first-download files. Every release contains architecture-specific hub/connector archives, SPDX JSON SBOMs, an installer bundle, the production Compose definition, SHA-256 checksums, and a keyless Sigstore bundle for those checksums. The multi-architecture OCI image also carries BuildKit SBOM and provenance attestations and is signed by the release workflow identity.
Verify downloaded assets
Install cosign, then download checksums.txt,
checksums.txt.sigstore.json, and the required release files into one
directory. Verify the workflow identity before trusting the checksum list:
version=v0.1.0
cosign verify-blob \
--bundle checksums.txt.sigstore.json \
--certificate-identity-regexp "^https://github.com/clow99/ReaperCI/.github/workflows/release.yml@refs/tags/${version}$" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt
sha256sum --ignore-missing --check checksums.txt
The identity expression must name this repository, this workflow, and the exact
release tag. Do not weaken it to a generic GitHub pattern. Inspect the matching
linux-amd64.spdx.json or linux-arm64.spdx.json before installation when
software inventory policy applies.
Verify the container image
Resolve and verify the immutable digest rather than trusting a mutable tag:
image=ghcr.io/clow99/reaperci:v0.1.0
digest="$(docker buildx imagetools inspect "$image" --format '{{json .Manifest.Digest}}' | tr -d '"')"
cosign verify \
--certificate-identity-regexp '^https://github.com/clow99/ReaperCI/.github/workflows/release.yml@refs/tags/v0\.1\.0$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
"ghcr.io/clow99/reaperci@${digest}"
Pre-release tags such as v0.1.0-rc.1 never move latest. Stable releases do
publish latest, but production installation and upgrade commands must still
use the immutable semantic version or digest.
When the canonical GitHub repository becomes public at GA, the same workflow
also records GitHub artifact attestations. Verify them with
gh attestation verify <file> --repo clow99/ReaperCI. Private beta releases use
the signed checksum bundle as the downloadable-asset trust root because GitHub
artifact attestations for private repositories require an eligible Enterprise
plan.