Skip to content

Releases

You can find the most recent version in the GitHub Releases.

Versioning

Versions are expressed as x.y.z, where x is the major version, y is the minor version, and z is the patch version, following Semantic Versioning terminology.

Verifying release artefacts

Every release artefact (each binary and checksums.txt) is keylessly signed with cosign during the release workflow. For each artefact <file>, a matching <file>.sig (signature) and <file>.pem (certificate) is published next to it on the GitHub Release page.

To verify a downloaded binary, install cosign and run cosign verify-blob, pointing it at the artefact's .pem and .sig:

cosign verify-blob \
  --certificate solar-apiserver-linux-amd64.pem \
  --signature  solar-apiserver-linux-amd64.sig \
  --certificate-identity-regexp 'https://github.com/opendefensecloud/solution-arsenal/\.github/workflows/release\.yaml@.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  solar-apiserver-linux-amd64

The same command works for checksums.txt and any other artefact — swap the file names accordingly. A successful run prints Verified OK.

Release binaries additionally carry a build-provenance attestation, which can be verified with the GitHub CLI:

gh attestation verify solar-apiserver-linux-amd64 --repo opendefensecloud/solution-arsenal