Prerequisites
Before you can validate the authenticity of a release and its assets on the command line, you need to install the GitHub CLI.
Verifying immutable releases and local artifacts
-
On the command line, open the repository containing the release you want to verify.
-
To verify a release exists and is immutable, run the following command:
Bash gh release verify RELEASE-TAG
gh release verify RELEASE-TAG -
To verify a local artifact is an exact match for a release asset, run the following command:
Bash gh release verify-asset RELEASE-TAG ARTIFACT-PATH
gh release verify-asset RELEASE-TAG ARTIFACT-PATHメモ
This command cannot be used to verify the source code zip file or tarball for a release, since these assets are only created when a download is requested.
-
On GitHub, navigate to the main page of the repository.
-
To the right of the list of files, click Releases.
-
To the left of the release you want to verify, below the release author, confirm that " Immutable" is present.
