Premier’s tag release workflow publishes reproducible platform archives, SPDX SBOMs, GitHub build provenance, an aggregate SHA256SUMS, and a keyless Sigstore bundle for that manifest. A checksum alone detects corruption; the Sigstore certificate binds the manifest to Premier’s GitHub release workflow.
Verify publisher and assets
Install cosign, download the archive plus SHA256SUMS and SHA256SUMS.sigstore.json from the same GitHub Release, then run:
./scripts/verify-release.sh --directory ./downloads
The verifier requires:
- OIDC issuer
https://token.actions.githubusercontent.com - certificate identity matching
PremierStudio/premier.dev/.github/workflows/release.ymlon a version tag - every downloaded archive digest to match the authenticated aggregate manifest
It fails closed for a missing bundle, different repository/workflow identity, wrong issuer, modified manifest, missing asset, or changed archive.
Install only after authentication
expected="$(awk '$2 ~ /aarch64-apple-darwin.tar.gz$/ {print $1}' downloads/SHA256SUMS)"
./scripts/install.sh \
--archive downloads/premier-0.1.0-aarch64-apple-darwin.tar.gz \
--checksum "$expected" \
--signature-bundle downloads/premier-0.1.0-aarch64-apple-darwin.tar.gz.sigstore.json
The installer then repeats archive and internal payload integrity checks, validates target architecture and metadata, rejects unsafe archive entries, and installs atomically.
Independent provenance check
GitHub’s artifact attestation can independently connect an archive digest to the release workflow:
gh attestation verify downloads/premier-0.1.0-aarch64-apple-darwin.tar.gz \
--repo PremierStudio/premier.dev
Sigstore authenticates distribution; macOS Gatekeeper code signing/notarization is a separate platform trust mechanism.