Every EGC release is published with build provenance attestations that allow you to verify the integrity and authenticity of the release assets.
EGC is published to npm with --provenance, which generates a signed provenance attestation linked to the GitHub Actions workflow that built it.
To verify:
npm audit signatures egc-universalExpected output:
audited 1 package in Xs
1 package has a verified registry signature
1 package has a verified attestation
Build provenance for release tarballs is attested via GitHub Artifact Attestations.
To verify a release tarball:
gh attestation verify egc-universal-<version>.tgz \
--owner Fmarzochi \
--repo EGCExpected output confirms that the artifact was produced by the release.yml workflow in the Fmarzochi/EGC repository.
The attestation certificate contains the workflow identity:
- Issuer:
https://token.actions.githubusercontent.com - Subject:
https://github.com/Fmarzochi/EGC/.github/workflows/release.yml@refs/tags/vX.Y.Z
This confirms that the release was built by the official GitHub Actions workflow from the official repository, not from an arbitrary machine or actor.
| Asset | Attestation Type |
|---|---|
npm tarball (egc-universal-*.tgz) |
Build provenance (SLSA Level 2) |
| npm package (published) | npm provenance (--provenance flag) |
All attestations use Sigstore's keyless signing infrastructure. No manual key management is required. Verification uses the public Sigstore transparency log (Rekor) to confirm the signature was created during the CI run at the time of release.