Verifying dops Releases
All dops release artifacts are signed using Sigstore cosign with keyless signing. This means every release is cryptographically tied to the GitHub Actions workflow that built it — no private keys involved.
Prerequisites
Install cosign (single static binary, works on Linux, macOS, and Windows):
sh
# Homebrew
brew install cosign
# Go
go install github.com/sigstore/cosign/v2/cmd/cosign@latest
# Windows (scoop)
scoop install cosignSee cosign installation docs for all options.
Verifying Binary Releases
Each GitHub Release includes:
checksums.txt— SHA-256 hashes for every archivechecksums.txt.sig— cosign signaturechecksums.txt.pem— signing certificate
Step 1: Verify the checksum signature
sh
cosign verify-blob \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-identity-regexp "https://github.com/rundops/dops" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
checksums.txtA successful result prints Verified OK.
Step 2: Verify the archive checksum
Linux / macOS:
sh
sha256sum -c checksums.txtWindows (PowerShell):
powershell
# Check a specific archive
$expected = (Select-String -Path checksums.txt -Pattern "dops_.*windows.*").ToString().Split(" ")[0]
$actual = (Get-FileHash dops_*_windows_amd64.zip -Algorithm SHA256).Hash.ToLower()
if ($expected -eq $actual) { "OK" } else { "MISMATCH" }Verifying Docker Images
sh
cosign verify \
--certificate-identity-regexp "https://github.com/rundops/dops" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/rundops/dops:v0.1.0Replace v0.1.0 with the version you pulled.
What Gets Signed
| Artifact | Method |
|---|---|
| Binary archives (tar.gz) | Transitively via checksums.txt signature |
| checksums.txt | Direct cosign keyless signature |
| Docker images (GHCR) | Direct cosign keyless signature by digest |
SBOMs
Each release also includes SPDX JSON SBOMs (one per archive) generated by Syft. These are covered by the checksum signature.