GitHub Release Attestations

[github-product-roadmap]

Summary

GitHub users need to be able to rely on constructed artifacts to be immutable after they’ve been built. This is something that has traditionally been seen as nearly impossible due to the fact that Releases (a GitHub feature) are tightly bound to tags (a Git feature) and Git tags are mutable. However, with the introduction of GitHub root certificate authority and Sigstore infrastructure we can create tamper-proof attestations that will associate a collection of artifacts with a specific release pURL, repo-of-origin, git tag, and SHA.

Intended Outcome

Users of GitHub releases will be able to verify that a given binary they have downloaded came from a particular GitHub Release.

How will it work?

Customers will be able to:

• Use first party GitHub Actions to generate and sign a release attestation.
• The release attestation will ensure that accompanying build provenance exists for each artifact in the release.
• Store those attestations securely in the GitHub attestation store.
• Download and verify attestations using the GitHub CLI.