Verification

Auto-generated mirror. This page mirrors docs/verification.md, the canonical source of truth. Do not edit this file directly; edit docs/verification.md and re-run scripts/wiki/sync_mirrors.py.

Verifying Evidentia release artifacts

Every Evidentia release produces:

8 PyPI wheels with PEP 740 attestations
1 cosign-signed container image at ghcr.io/polycentric-labs/evidentia
1 SLSA Provenance v1 attestation per the container
1 CycloneDX 1.6 SBOM attached to the GitHub Release

All four can be verified by consumers using standard open-source tooling. This doc covers the recipes.

Verifying PEP 740 attestations on PyPI wheels

# Install pypi-attestations (one-time)
pip install pypi-attestations

# Verify a single wheel
pypi-attestations verify pypi \
  --repository https://github.com/Polycentric-Labs/evidentia \
  pypi:evidentia_core-0.10.9-py3-none-any.whl

# Expected output:
#   OK: evidentia_core-0.10.9-py3-none-any.whl

Per-release sweep across all 8 packages:

for pkg in evidentia evidentia_ai evidentia_api evidentia_collectors \
           evidentia_core evidentia_eval evidentia_integrations evidentia_mcp; do
  pypi-attestations verify pypi \
    --repository https://github.com/Polycentric-Labs/evidentia \
    "pypi:${pkg}-0.10.9-py3-none-any.whl"
done

Verifying the cosign-signed container

# Install cosign (one-time)
# https://docs.sigstore.dev/system_config/installation/

# Verify the container's keyless OIDC signature
cosign verify ghcr.io/polycentric-labs/evidentia:v0.10.9 \
  --certificate-identity-regexp "https://github.com/Polycentric-Labs/evidentia/.github/workflows/release.yml@refs/tags/v0.10.9" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# Expected output: "The cosign claims were validated" + SLSA Provenance v1 JSON.

Verifying the CycloneDX SBOM attached to the Release

# Download the SBOM
gh release download v0.10.9 --pattern 'evidentia-sbom.cdx.json' \
  --repo Polycentric-Labs/evidentia

# Scan for vulnerabilities
osv-scanner scan --sbom evidentia-sbom.cdx.json

# Expected output: "No issues found" (or surfaced advisories with severities).

Verifying SLSA Provenance v1

The container's cosign verify output above includes the SLSA Provenance v1 attestation inline. To extract it:

cosign verify-attestation ghcr.io/polycentric-labs/evidentia:v0.10.9 \
  --certificate-identity-regexp "https://github.com/Polycentric-Labs/evidentia/.github/workflows/release.yml@refs/tags/v0.10.9" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --type slsaprovenance1

Cross-references

SECURITY.md — vulnerability reporting policy
EOL.md — version support windows
docs/sigstore-quickstart.md — Sigstore introduction

Verification

Verifying Evidentia release artifacts

Verifying PEP 740 attestations on PyPI wheels

Verifying the cosign-signed container

Verifying the CycloneDX SBOM attached to the Release

Verifying SLSA Provenance v1

Cross-references

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Evidentia wiki

Clone this wiki locally