Release trust
Release trust
Section titled “Release trust”This page explains how to verify that a downloaded SONAR artifact is authentic and traceable to the official release pipeline.
What is published
Section titled “What is published”For each release, SONAR publishes:
- build artifacts (
setup.exe,msi,dmg,deb,rpm, etc.) - SHA256 manifests
- SBOM files
- build provenance attestations
- Sigstore bundles (
.sigstore.json) and related signatures
Minimum verification steps
Section titled “Minimum verification steps”- Compare your local SHA256 against the published manifest.
- Validate provenance attestation from GitHub Actions.
- Verify signature evidence with
cosign verify-blob.
Where to verify
Section titled “Where to verify”- Official releases:
https://github.com/Sonar-team/Sonar_desktop_app/releases - Artifacts + SHA256 + Sigstore bundles: release assets.
- Provenance attestations: linked GitHub Actions release workflow run.
Command examples
Section titled “Command examples”1) SHA256 hash
Section titled “1) SHA256 hash”sha256sum sonar_*.debCompare with the published manifest (release-hashes-*.md or SHA256SUMS-*).
2) Cosign blob verification
Section titled “2) Cosign blob verification”cosign verify-blob \ --bundle sonar_*.sigstore.json \ --certificate-identity-regexp "https://github.com/Sonar-team/Sonar_desktop_app/.*" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ sonar_*.deb3) SBOM
Section titled “3) SBOM”- Ensure the SBOM file is present for the artifact.
- Ensure SBOM and artifact belong to the same release.
Recommended practice
Section titled “Recommended practice”- Download only from the official GitHub release.
- Do not redistribute unverified local builds.
- Store SHA256/provenance/Sigstore evidence alongside delivered binaries.
References
Section titled “References”- Changelog:
/doc/changelog - Download:
/doc/en/download