Skip to content

Release trust

This page explains how to verify that a downloaded SONAR artifact is authentic and traceable to the official release pipeline.

For each release, SONAR publishes:

  • build artifacts (setup.exe, msi, dmg, deb, rpm, etc.)
  • SHA256 manifests
  • SBOM files
  • build provenance attestations
  • Sigstore bundles (.sigstore.json) and related signatures
  1. Compare your local SHA256 against the published manifest.
  2. Validate provenance attestation from GitHub Actions.
  3. Verify signature evidence with cosign verify-blob.
  • Official releases:
    https://github.com/Sonar-team/Sonar_desktop_app/releases
  • Artifacts + SHA256 + Sigstore bundles: release assets.
  • Provenance attestations: linked GitHub Actions release workflow run.
Fenêtre de terminal
sha256sum sonar_*.deb

Compare with the published manifest (release-hashes-*.md or SHA256SUMS-*).

Fenêtre de terminal
cosign verify-blob \
--bundle sonar_*.sigstore.json \
--certificate-identity-regexp "https://github.com/Sonar-team/Sonar_desktop_app/.*" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
sonar_*.deb
  • Ensure the SBOM file is present for the artifact.
  • Ensure SBOM and artifact belong to the same release.
  • Download only from the official GitHub release.
  • Do not redistribute unverified local builds.
  • Store SHA256/provenance/Sigstore evidence alongside delivered binaries.
  • Changelog: /doc/changelog
  • Download: /doc/en/download