Dosu Logo
Home
Documents
release-verification
release-verification
Type
External
Status
Published
Created
Mar 1, 2026
Updated
Mar 1, 2026

Release Verification#

All libmagic-rs release artifacts are cryptographically signed to ensure authenticity and integrity. This guide explains how to verify that a downloaded artifact is genuine.

How Releases Are Signed#

libmagic-rs uses Sigstore keyless signing via GitHub Attestations. During the release build:

  1. cargo-dist builds release artifacts in GitHub Actions
  2. actions/attest-build-provenance generates a signed SLSA provenance attestation for each artifact
  3. The attestation is stored in GitHub's attestation ledger and Sigstore's transparency log

Keyless signing means there are no long-lived private keys to manage or compromise. Each build receives an ephemeral signing certificate tied to the GitHub Actions workflow identity.

Verifying with GitHub CLI#

The simplest way to verify an artifact:

# Install GitHub CLI if you haven't already
# https://cli.github.com/

# Download a release artifact
gh release download v0.1.0 --repo EvilBit-Labs/libmagic-rs

# Verify the artifact
gh attestation verify rmagic-x86_64-unknown-linux-gnu.tar.xz \
  --repo EvilBit-Labs/libmagic-rs

A successful verification looks like:

Loaded digest sha256:abc123... for file rmagic-x86_64-unknown-linux-gnu.tar.xz
Loaded 1 attestation from GitHub API

The following attestation matched the digest:
  - Predicate type: https://slsa.dev/provenance/v1
  - Signer: https://github.com/EvilBit-Labs/libmagic-rs/.github/workflows/release.yml
  - Build trigger: push

What Verification Proves#

A successful verification confirms:

  • Authenticity: The artifact was built by the official GitHub Actions workflow in the EvilBit-Labs/libmagic-rs repository
  • Integrity: The artifact has not been modified since it was built
  • Provenance: The build was triggered by a specific commit and tag

Additional Integrity Checks#

SBOM (Software Bill of Materials)#

Each release includes a CycloneDX SBOM generated by cargo-cyclonedx, listing all dependencies and their versions.

Embedded Dependency Metadata#

Release binaries are built with cargo-auditable, which embeds dependency information directly into the binary. You can inspect it with:

cargo audit bin rmagic

This allows post-deployment vulnerability scanning against the RustSec Advisory Database.

Homebrew#

Homebrew formula installations from the EvilBit-Labs/homebrew-tap tap are verified through Homebrew's standard SHA256 checksum mechanism, which is populated from the GitHub Release artifacts.