1. Download matching files
Keep the DMG, Authsia-<version>.provenance.json, and versioned SPDX file together. The public tag release also contains authsia.spdx.json, source, CLI, checksums, and GitHub attestations.
Release verification
The public verifier checks the downloaded DMG's outer SHA-256 first, then validates signing, notarization, Gatekeeper, the bundled CLI, the pinned public source tag, and the SPDX SBOM.
Keep the DMG, Authsia-<version>.provenance.json, and versioned SPDX file together. The public tag release also contains authsia.spdx.json, source, CLI, checksums, and GitHub attestations.
Clone the public source and check out the tag named in the provenance file. Then run scripts/verify-release.sh:
git clone https://github.com/james-liang-cs/authsia.git
cd authsia
scripts/verify-release.sh \
/path/to/Authsia-<version>.dmg \
/path/to/Authsia-<version>.provenance.json \
--sbom /path/to/Authsia-<version>.spdx.json
The script requires the published Developer ID authority and Apple Team ID:
33M8QU65SP
Stop if the outer hash, source tag/SHA, SBOM hash, bundled CLI hash, signing identity, notarization, or Gatekeeper assessment differs.
GitHub attestations cover the public CLI and SBOM built from the public tag workflow. They do not attest the private application build.
gh attestation verify <artifact> \
--repo james-liang-cs/authsia