Release verification

Check before you mount.

The public verifier checks the downloaded DMG's outer SHA-256 first, then validates signing, notarization, Gatekeeper, the bundled CLI, the pinned public source tag, and the SPDX SBOM.

1. Download matching files

Keep the DMG, Authsia-<version>.provenance.json, and versioned SPDX file together. The public tag release also contains authsia.spdx.json, source, CLI, checksums, and GitHub attestations.

2. Run the public verifier

Clone the public source and check out the tag named in the provenance file. Then run scripts/verify-release.sh:

git clone https://github.com/james-liang-cs/authsia.git
cd authsia
scripts/verify-release.sh \
  /path/to/Authsia-<version>.dmg \
  /path/to/Authsia-<version>.provenance.json \
  --sbom /path/to/Authsia-<version>.spdx.json

3. Confirm the expected identity

The script requires the published Developer ID authority and Apple Team ID:

33M8QU65SP

Stop if the outer hash, source tag/SHA, SBOM hash, bundled CLI hash, signing identity, notarization, or Gatekeeper assessment differs.

Public artifact attestations

GitHub attestations cover the public CLI and SBOM built from the public tag workflow. They do not attest the private application build.

gh attestation verify <artifact> \
  --repo james-liang-cs/authsia