-
Notifications
You must be signed in to change notification settings - Fork 1
Verification
Auto-generated mirror. This page mirrors
docs/verification.md, the canonical source of truth. Do not edit this file directly; editdocs/verification.mdand re-runscripts/wiki/sync_mirrors.py.
Every Evidentia release produces:
- 8 PyPI wheels with PEP 740 attestations
- 1 cosign-signed container image at
ghcr.io/polycentric-labs/evidentia - 1 SLSA Provenance v1 attestation per the container
- 1 CycloneDX 1.7 SBOM attached to the GitHub Release
All four can be verified by consumers using standard open-source tooling. This doc covers the recipes.
Bash / Linux / macOS
# Install pypi-attestations (one-time)
pip install pypi-attestations
# Verify a single wheel
pypi-attestations verify pypi \
--repository https://github.com/Polycentric-Labs/evidentia \
pypi:evidentia_core-0.11.0-py3-none-any.whl
# Expected output:
# OK: evidentia_core-0.11.0-py3-none-any.whlPowerShell (Windows)
# Install pypi-attestations (one-time)
pip install pypi-attestations
# Verify a single wheel
pypi-attestations verify pypi `
--repository https://github.com/Polycentric-Labs/evidentia `
pypi:evidentia_core-0.11.0-py3-none-any.whl
# Expected output:
# OK: evidentia_core-0.11.0-py3-none-any.whlPer-release sweep across all 8 packages:
Bash / Linux / macOS
for pkg in evidentia evidentia_ai evidentia_api evidentia_collectors \
evidentia_core evidentia_eval evidentia_integrations evidentia_mcp; do
pypi-attestations verify pypi \
--repository https://github.com/Polycentric-Labs/evidentia \
"pypi:${pkg}-0.11.0-py3-none-any.whl"
donePowerShell (Windows)
foreach ($pkg in 'evidentia','evidentia_ai','evidentia_api','evidentia_collectors',
'evidentia_core','evidentia_eval','evidentia_integrations','evidentia_mcp') {
pypi-attestations verify pypi `
--repository https://github.com/Polycentric-Labs/evidentia `
"pypi:${pkg}-0.11.0-py3-none-any.whl"
}Bash / Linux / macOS
# Install cosign (one-time)
# https://docs.sigstore.dev/system_config/installation/
# Verify the container's keyless OIDC signature
cosign verify ghcr.io/polycentric-labs/evidentia:v0.11.0 \
--certificate-identity-regexp "https://github.com/Polycentric-Labs/evidentia/.github/workflows/release.yml@refs/tags/v0.11.0" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
# Expected output: "The cosign claims were validated" + SLSA Provenance v1 JSON.PowerShell (Windows)
# Install cosign (one-time)
# https://docs.sigstore.dev/system_config/installation/
# Verify the container's keyless OIDC signature
cosign verify ghcr.io/polycentric-labs/evidentia:v0.11.0 `
--certificate-identity-regexp "https://github.com/Polycentric-Labs/evidentia/.github/workflows/release.yml@refs/tags/v0.11.0" `
--certificate-oidc-issuer https://token.actions.githubusercontent.com
# Expected output: "The cosign claims were validated" + SLSA Provenance v1 JSON.Bash / Linux / macOS
# Download the SBOM
gh release download v0.11.0 --pattern 'evidentia-sbom.cdx.json' \
--repo Polycentric-Labs/evidentia
# Scan for vulnerabilities
osv-scanner scan source -L evidentia-sbom.cdx.json
# Expected output: "No issues found" (or surfaced advisories with severities).PowerShell (Windows)
# Download the SBOM
gh release download v0.11.0 --pattern 'evidentia-sbom.cdx.json' `
--repo Polycentric-Labs/evidentia
# Scan for vulnerabilities
osv-scanner scan source -L evidentia-sbom.cdx.json
# Expected output: "No issues found" (or surfaced advisories with severities).The container's cosign verify output above includes the SLSA Provenance v1
attestation inline. To extract it:
Requires cosign ≥ 2.6. The provenance attestation is stored via the OCI 1.1 referrers API (pushed by
actions/attest-build-provenance); cosign 2.4.x can verify the image signature but returnsno matching attestationsfor the referrer-stored attestation. If you are pinned to an older cosign, use the tool-nativegh attestation verify oci://ghcr.io/polycentric-labs/evidentia:v0.11.0 -R Polycentric-Labs/evidentiainstead (anyghversion finds it).
Bash / Linux / macOS
cosign verify-attestation ghcr.io/polycentric-labs/evidentia:v0.11.0 \
--certificate-identity-regexp "https://github.com/Polycentric-Labs/evidentia/.github/workflows/release.yml@refs/tags/v0.11.0" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--type slsaprovenance1PowerShell (Windows)
cosign verify-attestation ghcr.io/polycentric-labs/evidentia:v0.11.0 `
--certificate-identity-regexp "https://github.com/Polycentric-Labs/evidentia/.github/workflows/release.yml@refs/tags/v0.11.0" `
--certificate-oidc-issuer https://token.actions.githubusercontent.com `
--type slsaprovenance1-
SECURITY.md— vulnerability reporting policy -
EOL.md— version support windows -
docs/sigstore-quickstart.md— Sigstore introduction
-
- AI Governance
- Air Gapped Install
- Ci Integration
- CONMON Deployment
- Emit Cyclonedx VEX
- Emit OCSF Detection
- Emit SARIF
- Emit Traceability Matrix
- Explain Controls
- Generate And Quantify Risk
- Governance Metrics And Workflows
- Ingest OCSF
- Manage Catalogs
- Manage Model Risk
- Manage POAM
- Manage Retention
- Manage Third Party Risk
- MCP Client Setup
- OSPS Self Assessment
- Push To Integrations
- Run Collectors
- Run Gap Analysis
- Serve The Web Ui
- Sign And Verify Evidence
- Track Evidence Lineage