credential_packet_v1 — canonical evidence release (decoupled from software versions)
Immutable
release. Only release title and notes can be modified.
This is the single canonical source of credential_packet_v1. The clinic verdict evidence has its own lifecycle, distinct from the v0.2.x software releases — so it lives here, once, rather than being re-attached to each software tag.
- Asset:
credential_packet_v1.tar.gz· sha256af6e4142299b58cbfbeb67b3b357a6e438c272f7e074ee17b9c8e012a4dd01f1 - Signature:
credential_packet_v1.tar.gz.asc— detached GPG signature by key01A3AFAC8B5F4361(fingerprintBAEF75200B49F1D3D6DBC81D01A3AFAC8B5F4361). Verify authorship:curl -s https://github.com/haeliotang.gpg | gpg --import gpg --verify credential_packet_v1.tar.gz.asc credential_packet_v1.tar.gz # expect: Good signature - Verify integrity + reproduce per the bundled
VERIFY.md: reproduce the verdict table with stockpython3, check the files↔MANIFEST↔provenance chain. - CI (
release-evidence), the README, and software release notes all point only here. On every push CI re-checks the pinned SHA and verifies this signature against the in-repo maintainer key (docs/signing.md). If the evidence changes, it gets a new version (credential-packet-v2) — the packet version tracks the evidence, not the software.
Note on immutability: this release predates the repo's immutable-releases setting (which only protects releases created after it was enabled), so its GitHub immutable flag is false. Tamper-resistance here is the pinned SHA + this GPG signature + the delete/rewrite-protected tag — not that flag.