sparrowwallet/UltrafastSecp256k1
sparrowwallet/UltrafastSecp256k1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
UltrafastSecp256k1/docs/RELEASE_VERIFICATION.md
shrec 56413c0942
feat: CI preflight gate, assurance tooling, adversarial test depth 
New CI workflow:
- preflight.yml: security+ABI hard-fail, coverage/freshness advisory,
  assurance report artifact upload

New scripts:
- validate_assurance.py: cross-ref ledger vs ufsecp.h, TEST_MATRIX vs CTest
- export_assurance.py: machine-readable JSON (subsystems, API coverage,
  security density, protocol status, routing summary)
- release_diff.py: release diff with ABI changes, categorized files, checklist

New docs:
- BACKEND_ASSURANCE_MATRIX.md: CPU/CUDA/OpenCL/Metal feature/audit/secret matrix
- RELEASE_VERIFICATION.md: SHA256/cosign/SLSA provenance verification guide

Modified:
- preflight.py: DOC_PAIRS expanded 5->21 (protocols, CT, GPU, headers)
- test_adversarial_protocol.cpp: +test_frost_stale_commitment_replay (B.7),
  +test_ffi_invalid_enums (G.21: network/compressed flag boundary values)
2026-03-15 12:49:58 +00:00

2.5 KiB
Raw Permalink Blame History

Release Verification Guide

How to verify the integrity and provenance of UltrafastSecp256k1 release artifacts.

SHA-256 Checksums

Every release includes a SHA256SUMS file listing the SHA-256 hash of each artifact.

# Download the release and SHA256SUMS from the GitHub release page
# Verify checksums:
sha256sum -c SHA256SUMS

All lines should show OK. Any mismatch means the file was corrupted or tampered with.

Cosign Signature Verification

Release checksums are signed with Sigstore cosign using GitHub Actions OIDC identity (keyless signing).

Verify the checksums signature

# Install cosign: https://docs.sigstore.dev/cosign/system_config/installation/
cosign verify-blob SHA256SUMS \
  --bundle SHA256SUMS.sigstore \
  --certificate-identity-regexp "https://github.com/shrec/UltrafastSecp256k1" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

A successful verification confirms:

  1. The SHA256SUMS file was generated by the official GitHub Actions CI
  2. The signing identity matches the repository's workflow
  3. The file has not been modified since signing

Verify individual artifacts

Some artifacts also have individual .sigstore bundles:

cosign verify-blob <artifact-file> \
  --bundle <artifact-file>.sigstore \
  --certificate-identity-regexp "https://github.com/shrec/UltrafastSecp256k1" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

Build Provenance Attestation

Releases include SLSA build provenance attestations generated by GitHub's actions/attest-build-provenance action.

Verify provenance with GitHub CLI

gh attestation verify <artifact-file> \
  --repo shrec/UltrafastSecp256k1

This confirms the artifact was built by the repository's CI pipeline, not by an external party.

Verification Checklist

  1. Download SHA256SUMS and SHA256SUMS.sigstore from the release
  2. Run sha256sum -c SHA256SUMS to verify file integrity
  3. Run cosign verify-blob to verify the signer identity
  4. Optionally run gh attestation verify for SLSA provenance
  5. Compare the release tag against the CHANGELOG.md entry

Reproducible Builds

To build from source and verify against release binaries:

git checkout v<VERSION>
cmake -S . -B build -G Ninja -DCMAKE_BUILD_TYPE=Release
cmake --build build -j

Note: exact binary reproducibility depends on compiler version and platform. The SHA-256 checksums are authoritative for the official release binaries.