Verify what AGLedger ships
AGLedger ships four artifact surfaces — the Server container image, the Helm chart, the npm packages, and the PyPI package. Every one is built and signed by CI under a single keyless trust root: GitHub Actions OIDC to Sigstore (Fulcio) to the public Rekor transparency log. There is no long-lived signing token or static key for any published artifact, and verification runs entirely against the public Sigstore trust root — no AGLedger-hosted key, endpoint, or source-repository access.
This page is the single index for the verify recipes. The image and chart recipes are
maintained in the install repository's SECURITY.md;
the npm and PyPI recipes in the agents SECURITY.md.
They agree on the trust root.
Assurance level, per artifact
The SLSA Build level is stated per artifact rather than flattened to one number. The container and registry paths earn different guarantees, and over-claiming on either is exactly what a security reviewer flags.
| Artifact | Provenance mechanism | SLSA Build level |
|---|---|---|
| Server image agledger/agledger | cosign keyless + slsa-github-generator isolated builder | L3 |
| Helm chart agledger/agledger-chart | cosign keyless + isolated builder | L3 |
| npm packages @agledger/{verify-core,verify,sdk,cli,mcp-server} | npm provenance attestation (Sigstore) + CycloneDX SBOM | L2-equivalent |
| PyPI package agledger | PEP 740 attestation via PyPI Trusted Publishing | L2-equivalent |
The container and chart paths reach SLSA Build L3 because provenance is produced by an isolated reusable workflow the build steps cannot tamper with. The registry packages publish hosted build provenance via Trusted Publishing — OIDC-bound and non-forgeable, but without the isolated-builder guarantee — so they are stated as L2-equivalent rather than L3.
Server image and Helm chart
Both are keyless-signed with cosign. A valid signature binds to the GitHub Actions workflow that built the release. Requires cosign 3.0 or later. Set the release you are verifying once:
VERSION=0.27.9
IDENTITY='^https://github\.com/agledger-ai/agledger-api/\.github/workflows/.+@refs/tags/v.+$'
ISSUER='https://token.actions.githubusercontent.com'
Verify the image signature, then the chart:
$ cosign verify --certificate-identity-regexp "$IDENTITY" --certificate-oidc-issuer "$ISSUER" \
agledger/agledger:$VERSION
$ cosign verify --certificate-identity-regexp "$IDENTITY" --certificate-oidc-issuer "$ISSUER" \
registry-1.docker.io/agledger/agledger-chart:$VERSION
Each prints Verification for ... and a JSON block whose certificate identity is the
GitHub Actions workflow that built the artifact. Verify the CycloneDX SBOM and OpenVEX
attestations the same way:
$ cosign verify-attestation --type cyclonedx --certificate-identity-regexp "$IDENTITY" \
--certificate-oidc-issuer "$ISSUER" agledger/agledger:$VERSION
$ cosign verify-attestation --type openvex --certificate-identity-regexp "$IDENTITY" \
--certificate-oidc-issuer "$ISSUER" agledger/agledger:$VERSION
For the SLSA Build L3 provenance, verify by digest with
slsa-verifier:
$ slsa-verifier verify-image "agledger/agledger@$(crane digest agledger/agledger:$VERSION)" \
--source-uri github.com/agledger-ai/agledger-api
Docker Hub is the authoritative customer registry. Provenance binds to Docker Hub digests. Internal ECR or other registry mirrors are separate builds and will not digest-match — verify against Docker Hub, then mirror the verified digest.
npm packages
npm audit signatures verifies both the registry signature and the Sigstore
build-provenance attestation against the public transparency log:
$ npm install -g @agledger/cli # or any @agledger/* package
$ npm audit signatures
audited 1 package
1 package has a verified registry signature and provenance attestation
Each package page on npmjs.com links the provenance to the exact GitHub Actions run and source commit that built it.
PyPI package
agledger is published via PyPI Trusted Publishing with PEP 740 digital attestations,
which bind each release to the agledger-ai/sdk-python publishing workflow (Sigstore
identity, public Rekor). Inspect them with the
pypi-attestations tool or the PyPI
Integrity API:
$ pip install pypi-attestations
$ pypi-attestations verify pypi --repository https://github.com/agledger-ai/sdk-python \
agledger==$VERSION
What else ships with every release
- CycloneDX SBOM and OpenVEX are attached to every
agledger-apiGitHub release and bound to the image as cosign attestations (verified above). - A conformance corpus (
agledger-<version>-conformance-corpus.tar.gzand its.sha256) ships on every release — the anti-drift seam the offline verifier checks the wire format against.
Related, but a different question
This page verifies the artifacts you install. To verify the records a running Server produces — the hash-chained, Ed25519-signed audit chain — offline and with nothing but the published public key, see Verify offline. The vault signing-key rotation procedure and historical keys are documented on the Security page.
Image and chart recipes mirror the install SECURITY.md;
npm and PyPI recipes mirror the agents SECURITY.md.
Verified against the v0.27.9 release on 2026-06-07 (cosign 3.0+, npm, pip).