KuberCoin Docs

Release Provenance

Signed release evidence, checksums, and attestation expectations.

Overview

This page records the evidence that downstream operators should verify before trusting a tagged build. A release is only publishable when the tag, the artifact, the signature, the checksum, and the provenance note all describe the same commit.

Required fields

FieldDescription
Release tagPublic version label, for example v2.0.1.
Commit SHAExact public commit that produced the build.
Artifact namesReleased binaries, archives, or packages.
ChecksumsSHA-256 digests for each public artifact.
SignatureMaintainer signature for the tagged release.
SBOMCycloneDX inventory for the build.
Build provenanceSLSA or in-toto attestation for the release job.
Release noteUser-visible changes and rollback guidance.
Release manifestJSON inventory of the published assets and their digests; publish alongside release-manifest.json.sha256.
Published atTimestamp of the public release announcement.

Verification checklist

  1. Confirm the release tag resolves to the expected commit SHA.
  2. Verify every published checksum against the downloaded artifact.
  3. Verify the release signature with the published maintainer key.
  4. Inspect the SBOM for unexpected packages or transitive drift.
  5. Compare the build provenance with the release note and the changelog.
  6. Confirm the release note includes rollback guidance for operators.

Current status

  • No public release artifacts are yet published in this checkout.
  • The release workflow emits release-manifest.json and release-manifest.json.sha256 alongside signed archives and SBOMs.
  • This document defines the evidence required for the first public release.

References