gh-attestation - Man Page

• Download attestations for a local file associated with a specific repository: gh [at|attestation] download path/to/artifact.bin [-R|--repo] owner/repo
• Download attestations for an OCI container image associated with an organization: gh [at|attestation] download oci://image_uri [-o|--owner] organization_name
• Verify a local artifact online against attestations from a specific repository: gh [at|attestation] verify path/to/artifact.bin [-R|--repo] owner/repo
• Verify an artifact, requiring it was signed by a specific reusable workflow for enhanced security: gh [at|attestation] verify path/to/artifact.bin [-o|--owner] organization_name --signer-workflow owner/repo/path/to/workflow.yml
• Verify an artifact and output the detailed verification results as JSON for use in policy engines: gh [at|attestation] verify path/to/artifact.bin [-o|--owner] organization_name --format json
• Perform a fully offline verification using a downloaded bundle and a custom trusted root file: gh [at|attestation] verify path/to/artifact.bin [-b|--bundle] path/to/bundle.jsonl --custom-trusted-root path/to/trusted_root.jsonl
• Save the trusted root of signing certificates to a file for offline verification: gh [at|attestation] trusted-root > path/to/trusted_root.jsonl

tldr.sh

gh attestation [subcommand] [flags]

Download and verify artifact attestations.

gh-attestation-download(1)

Download an artifact's attestations for offline use

gh-attestation-trusted-root(1)

Output trusted_root.jsonl contents, likely for offline verification

gh-attestation-verify(1)

Verify an artifact's integrity using attestations

gh at

0: Successful execution

1: Error

2: Command canceled

4: Authentication required

NOTE: Specific commands may have additional exit codes. Refer to the command's help for more information.

gh(1)

gh(1), gh-attestation-download(1), gh-attestation-trusted-root(1), gh-attestation-verify(1).