Cryptographic Verification
🔍 Verifying Signatures & Release Integrity
This document covers how to verify cryptographic signatures for commits, tags, and releases. For complete signing setup and mode selection, see the Complete Signing Guide.
🎯 Quick Verification Commands
Verify Any Commit
# Verify specific commit
gitsign verify <commit-hash>
# Verify current HEAD
gitsign verify HEAD
# Verify with expected identity
gitsign verify --certificate-identity="albert@securityronin.com" HEAD
Verify Tags and Releases
# Verify signed tag
git tag -v v0.6.5
# Show signature details
git log --show-signature -1 v0.6.5
Verify Installation Files
# Download checksums and installer
curl -sL https://github.com/h4x0r/1-click-github-sec/releases/latest/download/checksums.txt -o checksums.txt
curl -sL https://github.com/h4x0r/1-click-github-sec/releases/latest/download/install-security-controls.sh -o install-security-controls.sh
# VERIFY checksum before execution (STRONGLY RECOMMENDED - critical security practice)
sha256sum -c checksums.txt
# Verify release signature
git tag -v v0.6.5
🔐 What Verification Checks
gitsign (Sigstore) Verification
✅ Certificate validity - Was certificate valid at signing time? ✅ Identity binding - Does signer identity match expected email? ✅ Transparency logging - Is signature recorded in Rekor ledger? ✅ Signature integrity - Has commit been tampered with since signing? ✅ Trust chain - Is certificate issued by trusted Fulcio CA?
Example Successful Verification
$ gitsign verify HEAD
tlog index: 567315903
gitsign: Signature made using certificate ID 0xd1cb214b2a12f6732a84d1777720903036dbd739
gitsign: Good signature from [albert@securityronin.com](https://github.com/login/oauth)
Validated Git signature: true
Validated Rekor entry: true
Validated Certificate claims: false
WARNING: git verify-commit does not verify cert claims. Prefer using `gitsign verify` instead.
Example Failed Verification
$ gitsign verify HEAD
Error: signature verification failed
Details: commit content has been modified after signing
🔍 Advanced Verification
Verify Against Rekor Transparency Log
# Verify release in Rekor transparency ledger
import requests
def verify_release(tag_name, expected_identity):
"""Verify a release exists in Rekor transparency ledger"""
rekor_url = "https://rekor.sigstore.dev/api/v1/log/entries"
try:
response = requests.get(f"{rekor_url}?logIndex=latest")
entries = response.json()
for entry in entries:
# Check if entry relates to our tag
if tag_name in entry.get("body", {}).get("spec", {}).get("data", ""):
return {
"verified": True,
"timestamp": entry.get("integratedTime"),
"identity": entry.get("body", {}).get("spec", {}).get("identity"),
"log_index": entry.get("logIndex")
}
except Exception as e:
return {"verified": False, "error": str(e)}
return {"verified": False, "reason": "No matching entry found"}
# Usage
result = verify_release("v0.6.5", "albert@securityronin.com")
print(f"Verification result: {result}")
Manual Signature Inspection
# Show raw signature data
git cat-file commit HEAD | grep -A 20 "-----BEGIN"
# Check certificate details
git log --format="%G?" HEAD # G=good, B=bad, U=unknown, N=none
# Detailed signature info
git log --format="%GG" HEAD
📋 Verification Checklist
When verifying releases or commits:
- [ ] File checksum verified (
sha256sum -c checksums.txt
) - [ ] Tag signature verified (
git tag -v v0.6.5
) - [ ] Rekor entry confirmed (shows "Validated Rekor entry: true")
- [ ] Identity matches expected maintainer (albert@securityronin.com)
- [ ] Timestamp reasonable (not from suspicious time)
🛠️ Troubleshooting Verification
Common Verification Issues
"gitsign: command not found"
# Install gitsign first
go install github.com/sigstore/gitsign@latest
# Or use our installer
./install-security-controls.sh
"certificate verification failed"
# Check expected identity
gitsign verify --certificate-identity="expected@email.com" HEAD
# Verify certificate was valid at signing time
git log --show-signature -1 HEAD
"rekor entry not found"
# Signature may predate Rekor logging or be invalid
# Check if commit was signed before transparency logging was enabled
# Search Rekor manually
rekor-cli search --email albert@securityronin.com
🔗 Verification Tools
Required Tools
- gitsign - Sigstore signature verification
- git - Built-in GPG signature verification
- sha256sum - File integrity verification
Optional Tools
- rekor-cli - Direct Rekor ledger queries
- cosign - Container and artifact verification
- sigstore-python - Programmatic verification
Installation
# Install via our security controls installer
./install-security-controls.sh
# Or install individually
go install github.com/sigstore/gitsign@latest
go install github.com/sigstore/rekor/cmd/rekor-cli@latest
🎯 Key Verification Principles
✅ Trust but verify - Always verify signatures before trusting code ✅ Check identity binding - Ensure signer matches expected maintainer ✅ Verify transparency logging - Confirm signatures are publicly auditable ✅ Validate file integrity - Use checksums for downloaded files ✅ Check certificate validity - Ensure certificates were valid at signing time
💡 For signing setup and mode selection, see the Complete Signing Guide
The bottom line: Cryptographic verification provides strong assurance that code hasn't been tampered with and comes from the expected source. Always verify before trusting, especially for security-critical tools.