Release Provenance
Signed release evidence, checksums, and attestation expectations.
Overview
This page records the evidence that downstream operators should verify before trusting a tagged build. A release is only publishable when the tag, the artifact, the signature, the checksum, and the provenance note all describe the same commit.
Required fields
| Field | Description |
|---|---|
| Release tag | Public version label, for example v2.0.1. |
| Commit SHA | Exact public commit that produced the build. |
| Artifact names | Released binaries, archives, or packages. |
| Checksums | SHA-256 digests for each public artifact. |
| Signature | Maintainer signature for the tagged release. |
| SBOM | CycloneDX inventory for the build. |
| Build provenance | SLSA or in-toto attestation for the release job. |
| Release note | User-visible changes and rollback guidance. |
| Release manifest | JSON inventory of the published assets and their digests; publish alongside release-manifest.json.sha256. |
| Published at | Timestamp of the public release announcement. |
Verification checklist
- Confirm the release tag resolves to the expected commit SHA.
- Verify every published checksum against the downloaded artifact.
- Verify the release signature with the published maintainer key.
- Inspect the SBOM for unexpected packages or transitive drift.
- Compare the build provenance with the release note and the changelog.
- Confirm the release note includes rollback guidance for operators.
Current status
- No public release artifacts are yet published in this checkout.
- The release workflow emits
release-manifest.jsonandrelease-manifest.json.sha256alongside signed archives and SBOMs. - This document defines the evidence required for the first public release.
References
- Mainnet policy — release gates and rollout coverage.
- Network parameters — canonical ports, genesis values, and network defaults.
- Release artifacts — signed builds, checksums, SBOMs, and provenance notes.
- Status — current dashboard and incident thresholds.
- Operations — probes and deployment notes.