← starla · 05
05 · verify
Verify downloads.
Every starla release artifact is signed twice — keyless via Sigstore for tarballs and images, and with GPG for apt and rpm repository metadata. Here's how to check both.
Two signing methods
- Cosign (keyless, via Sigstore) signs individual files and container images. No keys to manage; signatures are tied to the GitHub Actions workflow identity and recorded in a public transparency log.
- GPG (
Starla Releases <starla@calculon.tech>) signs apt and rpm repository metadata. Required because apt and dnf don't support cosign.
01Install cosign
See sigstore.dev/installation, or with Nix:
shellnix shellnix shell nixpkgs#cosign
02Verify a tarball or package
Each artifact on the release page has a matching .sig (signature) and .pem (certificate) file.
shellcosign verify-blob# download the artifact and its signature files curl -LO https://github.com/ananthb/starla/releases/latest/download/starla-amd64.tar.gz curl -LO https://github.com/ananthb/starla/releases/latest/download/starla-amd64.tar.gz.sig curl -LO https://github.com/ananthb/starla/releases/latest/download/starla-amd64.tar.gz.pem # verify cosign verify-blob \ --signature starla-amd64.tar.gz.sig \ --certificate starla-amd64.tar.gz.pem \ --certificate-identity-regexp 'https://github.com/ananthb/starla/' \ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ starla-amd64.tar.gz
The same command works for .deb, .rpm, and the arm64 tarball.
03Verify a container image
shellcosign verifycosign verify \ --certificate-identity-regexp 'https://github.com/ananthb/starla/' \ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ ghcr.io/ananthb/starla:latest
This checks that the image was built and pushed by the starla GitHub Actions release workflow, and that the signature is recorded in Sigstore's Rekor transparency log.
04Verify checksums
The SHA256SUMS file covers every release artifact, and is itself signed:
shellSHA256SUMScurl -LO https://github.com/ananthb/starla/releases/latest/download/SHA256SUMS curl -LO https://github.com/ananthb/starla/releases/latest/download/SHA256SUMS.sig curl -LO https://github.com/ananthb/starla/releases/latest/download/SHA256SUMS.pem # verify the checksums file is authentic cosign verify-blob \ --signature SHA256SUMS.sig \ --certificate SHA256SUMS.pem \ --certificate-identity-regexp 'https://github.com/ananthb/starla/' \ --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ SHA256SUMS # then verify individual files against the checksums sha256sum -c SHA256SUMS
05What the flags mean
--certificate-identity-regexp— ensures the certificate was issued to a workflow in theananthb/starlarepository.--certificate-oidc-issuer— ensures the certificate came from GitHub Actions (not some other OIDC provider).
Together: this artifact was built by the starla CI pipeline on GitHub, not by an arbitrary third party.
06GPG key for apt & rpm repos
The apt and rpm package repositories are signed with a dedicated GPG key. If you installed starla via .deb or .rpm, the key was included in the package automatically.
shellfingerprint# fingerprint 26EA A5BE 15BF 6722 76EB 0B2F EBBC F639 82F4 CCD1 # download manually curl -fsSL https://ananthb.github.io/starla/deb/KEY.gpg | gpg --show-keys