Linux binaries are signed using Sigstore Cosign in keyless mode. This provides cryptographic provenance without managing signing keys.
The release workflow signs each Linux binary using keyless signing via the Sigstore public infrastructure:
- GitHub Actions authenticates via OIDC to Sigstore's Fulcio CA.
- Cosign generates an ephemeral certificate tied to the GitHub Actions workflow identity.
- The signature and certificate are bundled into a
.sigstore.jsonfile. - The bundle is uploaded alongside the binary as a release asset.
No secrets are required — authentication is handled automatically via GitHub's OIDC token.
Download both the binary zip and its .sigstore.json bundle from the releases page, then verify:
# Install cosign
go install github.com/sigstore/cosign/v2/cmd/cosign@latest
# Verify the binary against its Sigstore bundle
cosign verify-blob \
--bundle machineid-linux-amd64.sigstore.json \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp "github.com/slashdevops/machineid" \
machineid-linux-amd64A successful verification confirms:
- The binary was built by the
slashdevops/machineidGitHub Actions workflow. - The binary has not been tampered with since signing.
The release workflow requires id-token: write permission to request an OIDC token from GitHub for Sigstore authentication. This is already configured in the workflow.