commands.sh
gh

gh attestation

all

Download and verify artifact attestations to ensure their integrity and provenance.

More info →

Options (4)

boolean

Download attestations for a local file associated with a specific repository

Example: gh {{[at|attestation]}} download {{path/to/artifact.bin}} {{[-R|--repo]}} {{owner}}/{{repository}}
-R, --repoboolean

Download attestations for a local file associated with a specific repository

Example: gh {{[at|attestation]}} download {{path/to/artifact.bin}} {{[-R|--repo]}} {{owner}}/{{repository}}
-o, --ownerboolean

Download attestations for an OCI container image associated with an organization

Example: gh {{[at|attestation]}} download oci://{{image_uri}} {{[-o|--owner]}} {{organization_name}}
-b, --bundleboolean

Perform a fully offline verification using a downloaded bundle and a custom trusted root file

Example: gh {{[at|attestation]}} verify {{path/to/artifact.bin}} {{[-b|--bundle]}} {{path/to/bundle.jsonl}} --custom-trusted-root {{path/to/trusted_root.jsonl}}

Examples (7)

Download attestations for a local file associated with a specific repository

gh [at|attestation] download path/to/artifact.bin [-R|--repo] owner/repository

Download attestations for an OCI container image associated with an organization

gh [at|attestation] download oci://image_uri [-o|--owner] organization_name

Verify a local artifact online against attestations from a specific repository

gh [at|attestation] verify path/to/artifact.bin [-R|--repo] owner/repository

Verify an artifact, requiring it was signed by a specific reusable workflow for enhanced security

gh [at|attestation] verify path/to/artifact.bin [-o|--owner] organization_name --signer-workflow owner/repository/path/to/workflow.yml

Verify an artifact and output the detailed verification results as JSON for use in policy engines

gh [at|attestation] verify path/to/artifact.bin [-o|--owner] organization_name --format json

Perform a fully offline verification using a downloaded bundle and a custom trusted root file

gh [at|attestation] verify path/to/artifact.bin [-b|--bundle] path/to/bundle.jsonl --custom-trusted-root path/to/trusted_root.jsonl

Save the trusted root of signing certificates to a file for offline verification

gh [at|attestation] trusted-root > path/to/trusted_root.jsonl
made by @shridhargupta | data from tldr-pages