Skip to content

Auto-generated mirror. This page mirrors docs/verification.md, the canonical source of truth. Do not edit this file directly; edit docs/verification.md and re-run scripts/wiki/sync_mirrors.py.

Verifying Evidentia release artifacts

Every Evidentia release produces:

  • 8 PyPI wheels with PEP 740 attestations
  • 1 cosign-signed container image at ghcr.io/polycentric-labs/evidentia
  • 1 SLSA Provenance v1 attestation per the container
  • 1 CycloneDX 1.6 SBOM attached to the GitHub Release

All four can be verified by consumers using standard open-source tooling. This doc covers the recipes.

Verifying PEP 740 attestations on PyPI wheels

Bash / Linux / macOS

# Install pypi-attestations (one-time)
pip install pypi-attestations

# Verify a single wheel
pypi-attestations verify pypi \
  --repository https://github.com/Polycentric-Labs/evidentia \
  pypi:evidentia_core-0.10.12-py3-none-any.whl

# Expected output:
#   OK: evidentia_core-0.10.12-py3-none-any.whl

PowerShell (Windows)

# Install pypi-attestations (one-time)
pip install pypi-attestations

# Verify a single wheel
pypi-attestations verify pypi `
  --repository https://github.com/Polycentric-Labs/evidentia `
  pypi:evidentia_core-0.10.12-py3-none-any.whl

# Expected output:
#   OK: evidentia_core-0.10.12-py3-none-any.whl

Per-release sweep across all 8 packages:

Bash / Linux / macOS

for pkg in evidentia evidentia_ai evidentia_api evidentia_collectors \
           evidentia_core evidentia_eval evidentia_integrations evidentia_mcp; do
  pypi-attestations verify pypi \
    --repository https://github.com/Polycentric-Labs/evidentia \
    "pypi:${pkg}-0.10.12-py3-none-any.whl"
done

PowerShell (Windows)

foreach ($pkg in 'evidentia','evidentia_ai','evidentia_api','evidentia_collectors',
                 'evidentia_core','evidentia_eval','evidentia_integrations','evidentia_mcp') {
  pypi-attestations verify pypi `
    --repository https://github.com/Polycentric-Labs/evidentia `
    "pypi:${pkg}-0.10.12-py3-none-any.whl"
}

Verifying the cosign-signed container

Bash / Linux / macOS

# Install cosign (one-time)
# https://docs.sigstore.dev/system_config/installation/

# Verify the container's keyless OIDC signature
cosign verify ghcr.io/polycentric-labs/evidentia:v0.10.12 \
  --certificate-identity-regexp "https://github.com/Polycentric-Labs/evidentia/.github/workflows/release.yml@refs/tags/v0.10.12" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# Expected output: "The cosign claims were validated" + SLSA Provenance v1 JSON.

PowerShell (Windows)

# Install cosign (one-time)
# https://docs.sigstore.dev/system_config/installation/

# Verify the container's keyless OIDC signature
cosign verify ghcr.io/polycentric-labs/evidentia:v0.10.12 `
  --certificate-identity-regexp "https://github.com/Polycentric-Labs/evidentia/.github/workflows/release.yml@refs/tags/v0.10.12" `
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# Expected output: "The cosign claims were validated" + SLSA Provenance v1 JSON.

Verifying the CycloneDX SBOM attached to the Release

Bash / Linux / macOS

# Download the SBOM
gh release download v0.10.12 --pattern 'evidentia-sbom.cdx.json' \
  --repo Polycentric-Labs/evidentia

# Scan for vulnerabilities
osv-scanner scan --sbom evidentia-sbom.cdx.json

# Expected output: "No issues found" (or surfaced advisories with severities).

PowerShell (Windows)

# Download the SBOM
gh release download v0.10.12 --pattern 'evidentia-sbom.cdx.json' `
  --repo Polycentric-Labs/evidentia

# Scan for vulnerabilities
osv-scanner scan --sbom evidentia-sbom.cdx.json

# Expected output: "No issues found" (or surfaced advisories with severities).

Verifying SLSA Provenance v1

The container's cosign verify output above includes the SLSA Provenance v1 attestation inline. To extract it:

Bash / Linux / macOS

cosign verify-attestation ghcr.io/polycentric-labs/evidentia:v0.10.12 \
  --certificate-identity-regexp "https://github.com/Polycentric-Labs/evidentia/.github/workflows/release.yml@refs/tags/v0.10.12" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --type slsaprovenance1

PowerShell (Windows)

cosign verify-attestation ghcr.io/polycentric-labs/evidentia:v0.10.12 `
  --certificate-identity-regexp "https://github.com/Polycentric-Labs/evidentia/.github/workflows/release.yml@refs/tags/v0.10.12" `
  --certificate-oidc-issuer https://token.actions.githubusercontent.com `
  --type slsaprovenance1

Cross-references