Zum Inhalt springen
In HitKeep Cloud starten

Verify HitKeep Binaries and Docker Images

Dieser Inhalt ist noch nicht in deiner Sprache verfügbar.

Every supported HitKeep binary and Docker image published in a GitHub Release is signed with a GitHub Artifact Attestation — a cryptographically verifiable build-provenance record linking the artifact to the exact commit, workflow run, and Actions runner that produced it.

Verifying before deployment gives you evidence that the artifact was built from the official source code and has not been tampered with in transit or in the registry.

Install the GitHub CLI (gh) v2.49 or later, which includes the attestation subcommand:

Terminal window
gh --version

No authentication is required for public repositories.

HitKeep attaches raw Linux binaries to GitHub Releases for linux/amd64 and linux/arm64. Each binary is attested at build time and listed in the release SHA256SUMS file.

1. Download the binary:

Terminal window
# Linux AMD64
curl -L https://github.com/pascalebeier/hitkeep/releases/latest/download/hitkeep-linux-amd64 \
-o hitkeep-linux-amd64
# Linux ARM64
curl -L https://github.com/pascalebeier/hitkeep/releases/latest/download/hitkeep-linux-arm64 \
-o hitkeep-linux-arm64

2. Verify the attestation:

Terminal window
gh attestation verify hitkeep-linux-amd64 --owner pascalebeier
gh attestation verify hitkeep-linux-arm64 --owner pascalebeier

A passing result looks like:

Loaded digest sha256:<digest> for file://hitkeep-linux-amd64
✓ Verification succeeded!
The following 1 attestation(s) matched the artifact:
- Build repo: https://github.com/pascalebeier/hitkeep
- Workflow: .github/workflows/pipeline.yml
- Ref: refs/tags/v1.x.x
- Signer: https://github.com/pascalebeier/hitkeep/.github/workflows/pipeline.yml@refs/tags/v1.x.x

If verification fails for any reason the command exits with a non-zero status and prints a clear error. Do not run the binary.

3. Verify the checksum:

Terminal window
curl -L https://github.com/pascalebeier/hitkeep/releases/latest/download/SHA256SUMS \
-o SHA256SUMS
sha256sum -c --ignore-missing SHA256SUMS

HitKeep images are published to two registries for linux/amd64 and linux/arm64, both carrying identical provenance attestations.

Terminal window
gh attestation verify oci://index.docker.io/pascalebeier/hitkeep:latest \
--owner pascalebeier

Pin to a specific version (recommended for production):

Terminal window
gh attestation verify oci://index.docker.io/pascalebeier/hitkeep:1.7.0 \
--owner pascalebeier
Terminal window
gh attestation verify oci://ghcr.io/pascalebeier/hitkeep:latest \
--owner pascalebeier
Claim What it means
Repository Built from github.com/pascalebeier/hitkeep
Workflow Produced by .github/workflows/pipeline.yml
Ref Corresponds to a specific tag or commit
Runner environment Ran on a GitHub-hosted ubuntu-latest runner

The attestation does not prove that the binary is free of vulnerabilities — it proves the artifact originated from the official CI pipeline and has not been modified after the fact.