Skip to content

credential_packet_v1 — canonical evidence release (decoupled from software versions)

Choose a tag to compare

@haeliotang haeliotang released this 11 Jul 18:09
Immutable release. Only release title and notes can be modified.
3fc5d1f

This is the single canonical source of credential_packet_v1. The clinic verdict evidence has its own lifecycle, distinct from the v0.2.x software releases — so it lives here, once, rather than being re-attached to each software tag.

  • Asset: credential_packet_v1.tar.gz · sha256 af6e4142299b58cbfbeb67b3b357a6e438c272f7e074ee17b9c8e012a4dd01f1
  • Signature: credential_packet_v1.tar.gz.asc — detached GPG signature by key 01A3AFAC8B5F4361 (fingerprint BAEF75200B49F1D3D6DBC81D01A3AFAC8B5F4361). Verify authorship:
    curl -s https://github.com/haeliotang.gpg | gpg --import
    gpg --verify credential_packet_v1.tar.gz.asc credential_packet_v1.tar.gz   # expect: Good signature
    
  • Verify integrity + reproduce per the bundled VERIFY.md: reproduce the verdict table with stock python3, check the files↔MANIFEST↔provenance chain.
  • CI (release-evidence), the README, and software release notes all point only here. On every push CI re-checks the pinned SHA and verifies this signature against the in-repo maintainer key (docs/signing.md). If the evidence changes, it gets a new version (credential-packet-v2) — the packet version tracks the evidence, not the software.

Note on immutability: this release predates the repo's immutable-releases setting (which only protects releases created after it was enabled), so its GitHub immutable flag is false. Tamper-resistance here is the pinned SHA + this GPG signature + the delete/rewrite-protected tag — not that flag.