Skip to content

Releases: TraceCoreAI/tracecore

v0.0.0-m3test-7

15 May 11:11
@github-actions github-actions
v0.0.0-m3test-7
This tag was signed with the committer’s verified signature.
trilamsr Tri Lam
SSH Key Fingerprint: dD05+vViA/QvResfQB1kYUwwcL7kfXfBeSjSq8gt9V4
Verified
Learn about vigilant mode.
b6c745f

Choose a tag to compare

View all tags
v0.0.0-m3test-7 Pre-release
Pre-release

Reproducibility

Verify a published tracecore release end-to-end from source. Four
artifacts ship with every release tag: the binary, a CycloneDX SBOM, a
keyless cosign signature bundle, and an SLSA v1.0 in-toto provenance
attestation. The commands below reproduce the build at the same git SHA,
diff it against the published binary, and verify each of the three
attestations independently.

This walkthrough targets linux/amd64. linux/arm64 is opt-in and
follows the same sequence with GOARCH=arm64. See
PRINCIPLES.md §12 for the reproducibility invariant
this verifies.

Prerequisites

  • Go ≥ the version pinned in .go-version.
  • cosign ≥ 2.2.0 (Sigstore keyless verification).
  • diffoscope (Linux: apt-get install diffoscope).
  • gh CLI ≥ 2.49.0, authenticated to GitHub (gh attestation verify plus asset download).
  • A POSIX shell — Linux or macOS.

The SLSA v1.0 provenance attestation ships as a Sigstore bundle written
by actions/attest-build-provenance and is verified offline by gh attestation verify against the downloaded .intoto.jsonl.

Walkthrough

Pick the release tag you want to verify, then run the commands in order.
Every command exits 0 on success; any non-zero exit means
reproducibility broke for that release.

# 0. Pin the release tag you are verifying.
TAG=v0.1.0
REPO=TraceCoreAI/tracecore
WORKDIR=$(mktemp -d)
cd "$WORKDIR"
# 1. Clone at the exact tag. --depth=1 is fine; the build only needs
#    HEAD's git log timestamp for SOURCE_DATE_EPOCH, which is read from
#    the tagged commit, not from history depth.
git clone --depth=1 --branch "$TAG" "https://github.com/${REPO}.git" src
cd src
# 2. Rebuild. The Makefile computes SOURCE_DATE_EPOCH from the latest
#    commit timestamp when the env var is unset, so two builds at the
#    same SHA agree by construction. CGO_ENABLED=0 keeps the host C
#    toolchain out of the reproducibility surface.
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 make build
sha256sum tracecore
# 3. Download the published binary, SBOM, signature bundle, and
#    provenance attestation as a single asset set.
cd ..
gh release download "$TAG" \
  --repo "$REPO" \
  --pattern 'tracecore_*_linux_amd64' \
  --pattern 'tracecore_*.sbom.cdx.json' \
  --pattern 'tracecore_*.cosign.bundle' \
  --pattern 'tracecore_*.intoto.jsonl' \
  --dir release
ls release
# 4. Diff the locally-rebuilt binary against the published binary.
#    Empty output with exit 0 is the only passing outcome; any diff is
#    a P0 reproducibility break.
PUBLISHED=$(ls release/tracecore_*_linux_amd64 | head -n1)
diffoscope src/tracecore "$PUBLISHED"
# 5. Verify the cosign keyless signature. The certificate identity is
#    pinned to this exact workflow file on a tag-ref so a sibling
#    workflow on a non-protected branch cannot mint a passing bundle.
BUNDLE=$(ls release/tracecore_*.cosign.bundle | head -n1)
cosign verify-blob \
  --bundle "$BUNDLE" \
  --certificate-identity-regexp "^https://github.com/${REPO}/\.github/workflows/release\.yml@refs/tags/" \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  "$PUBLISHED"
# 6. Verify the SLSA v1.0 provenance attestation. Reading the bundle
#    from disk (--bundle) makes this work offline and pins the signer
#    to this exact workflow on a tag-ref — a sibling workflow elsewhere
#    in the repo cannot produce an attestation that passes.
ATTEST=$(ls release/tracecore_*.intoto.jsonl | head -n1)
gh attestation verify "$PUBLISHED" \
  --bundle "$ATTEST" \
  --owner "${REPO%/*}" \
  --predicate-type 'https://slsa.dev/provenance/v1' \
  --signer-workflow "${REPO}/.github/workflows/release.yml"
# 7. Sanity-check the CycloneDX SBOM: it must enumerate at least one
#    component per direct module in the rebuilt go.sum.
SBOM=$(ls release/tracecore_*.sbom.cdx.json | head -n1)
jq -e '.components | length > 0' "$SBOM"
jq -r '.components[].purl' "$SBOM" | sort -u | head

What this verifies

Step Guarantee Source spec
4 Byte-identical rebuild at the same SHA PRINCIPLES.md §12
5 Signature traces to a GitHub Actions OIDC identity, no long-lived key Sigstore keyless
6 Build provenance matches predicateType: https://slsa.dev/provenance/v1, signed by this repo's release.yml on a tag-ref SLSA v1.0 Build L1 + GitHub artifact attestations
7 SBOM coverage of every direct module CycloneDX spec

What this does not verify

  • linux/arm64 reproducibility — covered by re-running steps 2–7 with
    GOARCH=arm64; the release workflow gates amd64 only.
  • Transitive-dependency provenance — the SBOM lists every module in
    go.sum, but each transitive dependency carries its own provenance
    chain that is out of scope here.
  • Source-tag immutability after publication — verified separately by
    the signed git tag check (git tag -v $TAG); the M21 release
    checklist enforces tag signing.

If a step fails

Step that failed Failure mode First place to look
4 (diffoscope) Go-toolchain drift vs. tagged go.mod, or SOURCE_DATE_EPOCH mismatch Build env: go version (compare with go.mod's go line), go env GOFLAGS GOTOOLCHAIN, git log -1 --pretty=%ct $TAG.
5 (cosign) OIDC issuer rotation or revoked cert Sigstore transparency log entry for the bundle.
6 (gh attestation verify) Workflow file altered after the tag, or signer-workflow / source-ref mismatch gh release view $TAG --json assets against the cached provenance; inspect `.dsseEnvelope.payload
7 (jq) SBOM truncation during upload Re-download with gh release download --clobber; re-run from step 3.

Reproducibility breakage is a P0 bug. File against
SECURITY.md if the failure is a signing-identity or
provenance mismatch; otherwise open a regular issue tagged
reproducibility.

Loading

v0.0.0-m3test-6

15 May 11:00
@github-actions github-actions
v0.0.0-m3test-6
This tag was signed with the committer’s verified signature.
trilamsr Tri Lam
SSH Key Fingerprint: dD05+vViA/QvResfQB1kYUwwcL7kfXfBeSjSq8gt9V4
Verified
Learn about vigilant mode.
d0b18ae

Choose a tag to compare

View all tags
v0.0.0-m3test-6 Pre-release
Pre-release

Reproducibility

Verify a published tracecore release end-to-end from source. Four
artifacts ship with every release tag: the binary, a CycloneDX SBOM, a
keyless cosign signature bundle, and an SLSA v1.0 in-toto provenance
attestation. The commands below reproduce the build at the same git SHA,
diff it against the published binary, and verify each of the three
attestations independently.

This walkthrough targets linux/amd64. linux/arm64 is opt-in and
follows the same sequence with GOARCH=arm64. See
PRINCIPLES.md §12 for the reproducibility invariant
this verifies.

Prerequisites

  • Go ≥ the version pinned in .go-version.
  • cosign ≥ 2.2.0 (Sigstore keyless verification).
  • diffoscope (Linux: apt-get install diffoscope).
  • gh CLI ≥ 2.49.0, authenticated to GitHub (gh attestation verify plus asset download).
  • A POSIX shell — Linux or macOS.

The SLSA v1.0 provenance attestation ships as a Sigstore bundle written
by actions/attest-build-provenance. The reference verifier in step 6
is GitHub's gh attestation verify. If you prefer
slsa-verifier,
use ≥ 2.7.0 with the verify-github-attestation subcommand — earlier
versions don't parse Sigstore Bundle v0.3.

Walkthrough

Pick the release tag you want to verify, then run the commands in order.
Every command exits 0 on success; any non-zero exit means
reproducibility broke for that release.

# 0. Pin the release tag you are verifying.
TAG=v0.1.0
REPO=TraceCoreAI/tracecore
WORKDIR=$(mktemp -d)
cd "$WORKDIR"
# 1. Clone at the exact tag. --depth=1 is fine; the build only needs
#    HEAD's git log timestamp for SOURCE_DATE_EPOCH, which is read from
#    the tagged commit, not from history depth.
git clone --depth=1 --branch "$TAG" "https://github.com/${REPO}.git" src
cd src
# 2. Rebuild. The Makefile computes SOURCE_DATE_EPOCH from the latest
#    commit timestamp when the env var is unset, so two builds at the
#    same SHA agree by construction. CGO_ENABLED=0 keeps the host C
#    toolchain out of the reproducibility surface.
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 make build
sha256sum tracecore
# 3. Download the published binary, SBOM, signature bundle, and
#    provenance attestation as a single asset set.
cd ..
gh release download "$TAG" \
  --repo "$REPO" \
  --pattern 'tracecore_*_linux_amd64' \
  --pattern 'tracecore_*.sbom.cdx.json' \
  --pattern 'tracecore_*.cosign.bundle' \
  --pattern 'tracecore_*.intoto.jsonl' \
  --dir release
ls release
# 4. Diff the locally-rebuilt binary against the published binary.
#    Empty output with exit 0 is the only passing outcome; any diff is
#    a P0 reproducibility break.
PUBLISHED=$(ls release/tracecore_*_linux_amd64 | head -n1)
diffoscope src/tracecore "$PUBLISHED"
# 5. Verify the cosign keyless signature. The certificate identity is
#    pinned to this exact workflow file on a tag-ref so a sibling
#    workflow on a non-protected branch cannot mint a passing bundle.
BUNDLE=$(ls release/tracecore_*.cosign.bundle | head -n1)
cosign verify-blob \
  --bundle "$BUNDLE" \
  --certificate-identity-regexp "^https://github.com/${REPO}/\.github/workflows/release\.yml@refs/tags/" \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  "$PUBLISHED"
# 6. Verify the SLSA v1.0 provenance attestation. `gh attestation
#    verify` pulls the Sigstore bundle attested for the artifact's
#    sha256 from GitHub's attestation API, validates the in-toto
#    statement's signing identity, and asserts the artifact digest is
#    in the statement's subject[].
gh attestation verify "$PUBLISHED" \
  --repo "$REPO" \
  --predicate-type 'https://slsa.dev/provenance/v1'
# 7. Sanity-check the CycloneDX SBOM: it must enumerate at least one
#    component per direct module in the rebuilt go.sum.
SBOM=$(ls release/tracecore_*.sbom.cdx.json | head -n1)
jq -e '.components | length > 0' "$SBOM"
jq -r '.components[].purl' "$SBOM" | sort -u | head

What this verifies

Step Guarantee Source spec
4 Byte-identical rebuild at the same SHA PRINCIPLES.md §12
5 Signature traces to a GitHub Actions OIDC identity, no long-lived key Sigstore keyless
6 Build provenance matches predicateType: https://slsa.dev/provenance/v1, signed by this repo's release.yml on a tag-ref SLSA v1.0 Build L1 + GitHub artifact attestations
7 SBOM coverage of every direct module CycloneDX spec

What this does not verify

  • linux/arm64 reproducibility — covered by re-running steps 2–7 with
    GOARCH=arm64; the release workflow gates amd64 only.
  • Transitive-dependency provenance — the SBOM lists every module in
    go.sum, but each transitive dependency carries its own provenance
    chain that is out of scope here.
  • Source-tag immutability after publication — verified separately by
    the signed git tag check (git tag -v $TAG); the M21 release
    checklist enforces tag signing.

If a step fails

Step that failed Failure mode First place to look
4 (diffoscope) Go-toolchain drift vs. tagged go.mod, or SOURCE_DATE_EPOCH mismatch Build env: go version (compare with go.mod's go line), go env GOFLAGS GOTOOLCHAIN, git log -1 --pretty=%ct $TAG.
5 (cosign) OIDC issuer rotation or revoked cert Sigstore transparency log entry for the bundle.
6 (slsa-verifier) Workflow file altered after the tag gh release view $TAG --json assets against the cached provenance.
7 (jq) SBOM truncation during upload Re-download with gh release download --clobber; re-run from step 3.

Reproducibility breakage is a P0 bug. File against
SECURITY.md if the failure is a signing-identity or
provenance mismatch; otherwise open a regular issue tagged
reproducibility.

Loading

v0.0.0-m3test-4

15 May 10:01
@github-actions github-actions
v0.0.0-m3test-4
This tag was signed with the committer’s verified signature.
trilamsr Tri Lam
SSH Key Fingerprint: dD05+vViA/QvResfQB1kYUwwcL7kfXfBeSjSq8gt9V4
Verified
Learn about vigilant mode.
2442c0f

Choose a tag to compare

View all tags
v0.0.0-m3test-4 Pre-release
Pre-release

Reproducibility

Verify a published tracecore release end-to-end from source. Four
artifacts ship with every release tag: the binary, a CycloneDX SBOM, a
keyless cosign signature bundle, and an SLSA v1.0 in-toto provenance
attestation. The commands below reproduce the build at the same git SHA,
diff it against the published binary, and verify each of the three
attestations independently.

This walkthrough targets linux/amd64. linux/arm64 is opt-in and
follows the same sequence with GOARCH=arm64. See
PRINCIPLES.md §12 for the reproducibility invariant
this verifies.

Prerequisites

  • Go ≥ the version pinned in .go-version.
  • cosign ≥ 2.2.0 (Sigstore keyless verification).
  • slsa-verifier ≥ 2.5.0 (SLSA v1.0 provenance).
  • diffoscope (Linux: apt-get install diffoscope).
  • gh CLI authenticated to GitHub (release asset download).
  • A POSIX shell — Linux or macOS.

Walkthrough

Pick the release tag you want to verify, then run the commands in order.
Every command exits 0 on success; any non-zero exit means
reproducibility broke for that release.

# 0. Pin the release tag you are verifying.
TAG=v0.1.0
REPO=TraceCoreAI/tracecore
WORKDIR=$(mktemp -d)
cd "$WORKDIR"
# 1. Clone at the exact tag. --depth=1 is fine; the build only needs
#    HEAD's git log timestamp for SOURCE_DATE_EPOCH, which is read from
#    the tagged commit, not from history depth.
git clone --depth=1 --branch "$TAG" "https://github.com/${REPO}.git" src
cd src
# 2. Rebuild. The Makefile computes SOURCE_DATE_EPOCH from the latest
#    commit timestamp when the env var is unset, so two builds at the
#    same SHA agree by construction. CGO_ENABLED=0 keeps the host C
#    toolchain out of the reproducibility surface.
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 make build
sha256sum tracecore
# 3. Download the published binary, SBOM, signature bundle, and
#    provenance attestation as a single asset set.
cd ..
gh release download "$TAG" \
  --repo "$REPO" \
  --pattern 'tracecore_*_linux_amd64' \
  --pattern 'tracecore_*.sbom.cdx.json' \
  --pattern 'tracecore_*.cosign.bundle' \
  --pattern 'tracecore_*.intoto.jsonl' \
  --dir release
ls release
# 4. Diff the locally-rebuilt binary against the published binary.
#    Exit 0 with empty output is the only passing outcome; any diff is
#    a P0 reproducibility break.
PUBLISHED=$(ls release/tracecore_*_linux_amd64 | head -n1)
diffoscope --exit-code src/tracecore "$PUBLISHED"
# 5. Verify the cosign keyless signature. The certificate identity must
#    match the Fulcio cert chain bound to the GitHub Actions OIDC
#    issuer for this repository; no long-lived key is involved.
BUNDLE=$(ls release/tracecore_*.cosign.bundle | head -n1)
cosign verify-blob \
  --bundle "$BUNDLE" \
  --certificate-identity-regexp "^https://github.com/${REPO}/" \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  "$PUBLISHED"
# 6. Verify the SLSA v1.0 provenance attestation against the same
#    source tag. slsa-verifier walks the in-toto envelope, checks the
#    Sigstore signing identity, and asserts the artifact digest matches.
INTOTO=$(ls release/tracecore_*.intoto.jsonl | head -n1)
slsa-verifier verify-artifact \
  --provenance-path "$INTOTO" \
  --source-uri "github.com/${REPO}" \
  --source-tag "$TAG" \
  "$PUBLISHED"
# 7. Sanity-check the CycloneDX SBOM: it must enumerate at least one
#    component per direct module in the rebuilt go.sum.
SBOM=$(ls release/tracecore_*.sbom.cdx.json | head -n1)
jq -e '.components | length > 0' "$SBOM"
jq -r '.components[].purl' "$SBOM" | sort -u | head

What this verifies

Step Guarantee Source spec
4 Byte-identical rebuild at the same SHA PRINCIPLES.md §12
5 Signature traces to a GitHub Actions OIDC identity, no long-lived key Sigstore keyless
6 Build provenance matches predicateType: https://slsa.dev/provenance/v1 SLSA v1.0 Build L1
7 SBOM coverage of every direct module CycloneDX spec

What this does not verify

  • linux/arm64 reproducibility — covered by re-running steps 2–7 with
    GOARCH=arm64; the release workflow gates amd64 only.
  • Transitive-dependency provenance — the SBOM lists every module in
    go.sum, but each transitive dependency carries its own provenance
    chain that is out of scope here.
  • Source-tag immutability after publication — verified separately by
    the signed git tag check (git tag -v $TAG); the M21 release
    checklist enforces tag signing.

If a step fails

Step that failed Failure mode First place to look
4 (diffoscope) Compiler upgrade or -trimpath regression Build env: go version, go env -json, git log -1 --pretty=%ct.
5 (cosign) OIDC issuer rotation or revoked cert Sigstore transparency log entry for the bundle.
6 (slsa-verifier) Workflow file altered after the tag gh release view $TAG --json assets against the cached provenance.
7 (jq) SBOM truncation during upload Re-download with gh release download --clobber; re-run from step 3.

Reproducibility breakage is a P0 bug. File against
SECURITY.md if the failure is a signing-identity or
provenance mismatch; otherwise open a regular issue tagged
reproducibility.

Loading