Release Verification¶
This document describes how to verify the authenticity and integrity of MIESC releases.
Overview¶
All MIESC releases are:
- Signed with Sigstore - Cryptographically signed using keyless signing
- Checksummed - SHA256 checksums provided for all artifacts
- Published via GitHub Actions - Transparent, auditable build process
Quick Verification¶
1. Verify Checksums¶
Download SHA256SUMS.txt from the release and verify:
# Download the release files and checksums
wget https://github.com/fboiero/MIESC/releases/download/v5.4.3/SHA256SUMS.txt
wget https://github.com/fboiero/MIESC/releases/download/v5.4.3/miesc-5.4.3.tar.gz
# Verify checksum
sha256sum -c SHA256SUMS.txt
2. Verify Sigstore Signatures¶
# Install cosign (https://docs.sigstore.dev/cosign/installation/)
# macOS
brew install cosign
# Linux
curl -LO https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
chmod +x cosign-linux-amd64
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
# Verify signature
cosign verify-blob \
--signature miesc-5.4.3.tar.gz.sig \
--certificate miesc-5.4.3.tar.gz.pem \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
miesc-5.4.3.tar.gz
Expected output:
Understanding Sigstore Signatures¶
What is Sigstore?¶
Sigstore is a Linux Foundation project that provides:
- Keyless signing: No long-lived keys to manage
- Transparency log: All signatures recorded in Rekor
- OIDC-based identity: Tied to GitHub Actions workflow
What the Signature Proves¶
When you verify a MIESC signature, you confirm:
- Provenance: The artifact was built by GitHub Actions in the fboiero/MIESC repository
- Integrity: The artifact hasn't been modified since signing
- Authenticity: The signature was created during an official release workflow
Certificate Details¶
Each .pem certificate file contains:
Verifying Docker Images¶
Docker images are also signed with cosign:
# Verify Docker image signature
cosign verify ghcr.io/fboiero/miesc:5.4.3
# Verify with specific issuer
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/fboiero/miesc:5.4.3
The most recent detailed Docker status record (GHCR digest, image scope, and smoke-test commands) is the MIESC 5.4.2 Release Status note; the same verification flow applies to the current 5.4.3 images and artifacts.
Verifying PyPI Packages¶
PyPI packages are published using Trusted Publishers (OIDC):
# Download from PyPI
pip download miesc==5.4.3 --no-deps
# Compare checksum with GitHub release
sha256sum miesc-5.4.3.tar.gz
# Should match SHA256SUMS.txt from GitHub release
Build Reproducibility¶
While full reproducibility is not yet implemented, you can verify the build process:
- Check workflow run: Each release links to its GitHub Actions run
- Audit logs: GitHub provides audit logs for all workflow executions
- Attestations: SLSA attestations are planned for future releases
CI Gate Policy¶
The main CI workflow separates blocking gates from advisory signals:
| Gate | Blocking | Notes |
|---|---|---|
| Lint and formatting | Yes | Ruff, Black, and import ordering must pass. |
| Unit tests | Yes | Coverage threshold is enforced in CI. |
| Integration tests | Yes | Optional tool installation may warn, but the tests themselves must pass. |
| Security dependency checks | Yes for high/critical pip-audit findings | Safety output is retained as an advisory report. |
| Type checking | Advisory | Mypy runs on every CI execution and is summarized, but it does not block while legacy annotations are normalized. |
| Docker vulnerability scan | Advisory | Trivy SARIF upload should not block release packaging when the image build and smoke tests pass. |
| Documentation build | Yes | MkDocs builds with docs/mkdocs.yml; Sphinx builds from docs/conf.py. |
| Documentation links and MkDocs strict mode | Advisory | Link rot, legacy anchors, and historical archive references are reported but do not block code releases until the archive is normalized. |
| Marketplace PyPI availability | Advisory | Marketplace PRs may reference packages before publication; JSON schema and slug uniqueness remain blocking. |
| Smart-contract analysis workflow | Finding gate | Tool execution is best-effort across optional analyzers; the combined report fails on critical/high findings. |
This policy keeps release-blocking checks explicit while preserving visibility for work that is still being hardened.
Paper Reproducibility Baseline¶
The current paper evidence baseline is tagged as:
That tag points to the commit used as the stable review baseline for Paper 1 and Paper 2 evidence. Later experiments should be additive and should not overwrite the tagged paper artifacts.
Supply Chain Security¶
SLSA Compliance¶
MIESC targets SLSA Level 2:
| Requirement | Status |
|---|---|
| Version controlled | ✅ Git |
| Build service | ✅ GitHub Actions |
| Build as code | ✅ Workflow files |
| Provenance | ✅ Sigstore attestations |
| Isolated builds | ✅ Ephemeral runners |
SBOM¶
Software Bill of Materials (SBOM) is generated for each release:
# Download SBOM (CycloneDX format)
wget https://github.com/fboiero/MIESC/releases/download/v5.4.3/sbom.json
Troubleshooting¶
Signature Verification Fails¶
Possible causes:
- File modified: Re-download the artifact
- Wrong certificate: Ensure
.sigand.pemmatch the artifact - Clock skew: Ensure system clock is accurate
Certificate Expired¶
Sigstore certificates are short-lived (10 minutes), but signatures remain valid because they're recorded in the Rekor transparency log.
# Verify with transparency log
cosign verify-blob \
--signature file.sig \
--certificate file.pem \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--insecure-ignore-sct \
file
Security Contacts¶
If you discover a security issue with the release process:
- Email: fboiero@frvm.utn.edu.ar
- Security Policy: SECURITY.md
References¶
Last updated: May 2026