In this example we verify the signature of the SLSA provenance file of a Ghaf Lenovo X1 Carbon package.
Step-by-step instructions:
-
Download and extract the package in an empty directory
mkdir verify-sig cd verify wget https://ghafreleasesstorage.z16.web.core.windows.net/ghaf-24-12-01/files/aarch64-linux.nvidia-jetson-orin-agx-debug.tar tar -xf *.tar cd aarch64-linux.nvidia-jetson-orin-agx-debug cd scs -
Verify the signature
nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path provenance.json --sigfile provenance.json.sig --cert INT-Ghaf-Devenv-Provenance
Example output of successful signature verification
[karim@nixos:~/verify-sg/aarch64-linux.nvidia-jetson-orin-agx-debug/scs]$ nix run github:tiiuae/ci-yubi/bdb2dbf#verify -- --path provenance.json --sigfile provenance.json.sig --cert INT-Ghaf-Devenv-Provenance
Signature verification result: {'message': 'Signature Verification Result', 'is_valid': True}