Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Release Verification

All libmagic-rs release artifacts are cryptographically signed to ensure authenticity and integrity. This guide explains how to verify that a downloaded artifact is genuine.

How Releases Are Signed

libmagic-rs uses Sigstore keyless signing via GitHub Attestations. During the release build:

  1. cargo-dist builds release artifacts in GitHub Actions
  2. actions/attest-build-provenance generates a signed SLSA provenance attestation for each artifact
  3. The attestation is stored in GitHub’s attestation ledger and Sigstore’s transparency log

Keyless signing means there are no long-lived private keys to manage or compromise. Each build receives an ephemeral signing certificate tied to the GitHub Actions workflow identity.

Verifying with GitHub CLI

The simplest way to verify an artifact:

# Install GitHub CLI if you haven't already
# https://cli.github.com/

# Download a release artifact
gh release download v0.1.0 --repo EvilBit-Labs/libmagic-rs

# Verify the artifact
gh attestation verify rmagic-x86_64-unknown-linux-gnu.tar.xz \
  --repo EvilBit-Labs/libmagic-rs

A successful verification looks like:

Loaded digest sha256:abc123... for file rmagic-x86_64-unknown-linux-gnu.tar.xz
Loaded 1 attestation from GitHub API

The following attestation matched the digest:
  - Predicate type: https://slsa.dev/provenance/v1
  - Signer:         https://github.com/EvilBit-Labs/libmagic-rs/.github/workflows/release.yml
  - Build trigger:  push

What Verification Proves

A successful verification confirms:

  • Authenticity: The artifact was built by the official GitHub Actions workflow in the EvilBit-Labs/libmagic-rs repository
  • Integrity: The artifact has not been modified since it was built
  • Provenance: The build was triggered by a specific commit and tag

Additional Integrity Checks

SBOM (Software Bill of Materials)

Each release includes a CycloneDX SBOM generated by cargo-cyclonedx, listing all dependencies and their versions.

Embedded Dependency Metadata

Release binaries are built with cargo-auditable, which embeds dependency information directly into the binary. You can inspect it with:

cargo audit bin rmagic

This allows post-deployment vulnerability scanning against the RustSec Advisory Database.

Homebrew

Homebrew formula installations from the EvilBit-Labs/homebrew-tap tap are verified through Homebrew’s standard SHA256 checksum mechanism, which is populated from the GitHub Release artifacts.