Back to Details

attestation

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Attestation with orbit CLI

使用orbit CLI处理证明

Verify, download, and inspect build provenance attestations using Sigstore bundles with in-toto attestation format and SLSA provenance predicates. This feature supports supply chain security by letting you confirm artifact origin, signer identity, and build metadata.
使用符合in-toto证明格式、带有SLSA来源断言的Sigstore包来验证、下载和检查构建来源证明。该功能支持你确认制品来源、签名者身份和构建元数据,助力供应链安全。

Prerequisites

前置要求

  1. orbit
    CLI installed — if 
    which orbit
    fails, install with:
    • macOS/Linux (Homebrew): 
      brew install jorgemuza/tap/orbit
    • macOS/Linux (script): 
      curl -sSfL https://raw.githubusercontent.com/jorgemuza/orbit/main/install.sh | sh
    • Windows (Scoop): 
      scoop bucket add jorgemuza https://github.com/jorgemuza/scoop-bucket && scoop install orbit
  2. A Sigstore attestation bundle (
    .jsonl
    or 
    .json
    ) for the artifact you want to verify or inspect
  3. For 
    download
    : a profile with a GitHub service configured (attestation bundles are fetched from GitHub)
  1. orbit
    CLI已安装——如果执行
    which orbit
    失败,可通过以下方式安装:
    • macOS/Linux (Homebrew): 
      brew install jorgemuza/tap/orbit
    • macOS/Linux (脚本安装): 
      curl -sSfL https://raw.githubusercontent.com/jorgemuza/orbit/main/install.sh | sh
    • Windows (Scoop): 
      scoop bucket add jorgemuza https://github.com/jorgemuza/scoop-bucket && scoop install orbit
  2. 你要验证或检查的制品对应的Sigstore证明包(格式为
    .jsonl
    .json
  3. 如需使用
    download
    功能:需要配置了GitHub服务的配置文件(证明包从GitHub获取)

Quick Reference

快速参考

All commands follow the pattern: 
orbit attestation <command> [arguments] [flags]
Alias: 
orbit attest <command> [arguments] [flags]
All commands support 
-o json
and 
-o yaml
for structured output. For full command details and all flags, see 
references/commands.md
.
所有命令遵循以下格式:
orbit attestation <command> [arguments] [flags]
别名:
orbit attest <command> [arguments] [flags]
所有命令都支持
-o json
-o yaml
输出结构化结果。如需查看完整的命令详情和所有标志位,可参考
references/commands.md

Core Workflows

核心工作流

Verifying an Artifact

验证制品

Verify that an artifact matches its attestation bundle, confirming build provenance, signer identity, and source repository.
bash
undefined
验证制品与其证明包是否匹配,确认构建来源、签名者身份和源仓库信息。
bash
undefined

Verify a local binary against a bundle

对照证明包验证本地二进制文件

orbit attestation verify ./my-binary --bundle attestation.jsonl
orbit attestation verify ./my-binary --bundle attestation.jsonl

Verify with owner and signer identity checks

同时校验所有者和签名者身份

orbit attest verify ./artifact --bundle bundle.json --owner my-org --signer-identity "github.com/my-org/my-repo"
orbit attest verify ./artifact --bundle bundle.json --owner my-org --signer-identity "github.com/my-org/my-repo"

Verify a pre-computed digest

验证预计算的摘要

orbit attestation verify abc123def456... --bundle att.json --digest-algorithm sha256
orbit attestation verify abc123def456... --bundle att.json --digest-algorithm sha256

Output verification result as JSON

以JSON格式输出验证结果

orbit attestation verify ./my-binary --bundle att.json -o json
undefined
orbit attestation verify ./my-binary --bundle att.json -o json
undefined

Downloading an Attestation Bundle

下载证明包

Fetch the attestation bundle for an artifact digest from a GitHub repository.
bash
undefined
从GitHub仓库获取指定制品摘要对应的证明包。
bash
undefined

Download attestation bundle by digest

通过摘要下载证明包

orbit attestation download sha256:abc123... --repo owner/repo
orbit attestation download sha256:abc123... --repo owner/repo

With explicit digest algorithm

显式指定摘要算法

orbit attest download abc123... --repo owner/repo --digest-algorithm sha256
undefined
orbit attest download abc123... --repo owner/repo --digest-algorithm sha256
undefined

Inspecting a Bundle

检查包内容

Display the full contents of an attestation bundle, including SLSA provenance, signer identity, builder, source, and materials.
bash
undefined
展示证明包的完整内容,包括SLSA来源、签名者身份、构建器、源信息和物料信息。
bash
undefined

Inspect a bundle file

检查本地包文件

orbit attestation inspect attestation.jsonl
orbit attestation inspect attestation.jsonl

Output as JSON for processing

输出为JSON格式用于后续处理

orbit attest inspect bundle.json -o json
undefined
orbit attest inspect bundle.json -o json
undefined

Common Patterns

常见使用模式

Verify a release binary end-to-end:
bash
undefined
端到端验证发布版本二进制文件:
bash
undefined

Download the attestation bundle

下载证明包

orbit attestation download sha256:abc123... --repo my-org/my-repo
orbit attestation download sha256:abc123... --repo my-org/my-repo

Verify the binary against the downloaded bundle

对照下载的证明包验证二进制文件

orbit attestation verify ./my-binary --bundle attestation.jsonl --owner my-org
orbit attestation verify ./my-binary --bundle attestation.jsonl --owner my-org

Inspect the bundle for detailed provenance info

检查包内容获取详细的来源信息

orbit attestation inspect attestation.jsonl

**Get JSON for scripting:**
Any command supports `-o json` for machine-readable output:
```bash
orbit attestation verify ./my-binary --bundle att.json -o json | jq '.signer'
Check who signed an artifact:
bash
orbit attestation inspect bundle.json -o json | jq '.signer'
Verify with strict signer identity:
bash
orbit attest verify ./artifact --bundle bundle.json \
  --owner my-org \
  --repo my-org/my-repo \
  --signer-identity "github.com/my-org/my-repo/.github/workflows/release.yml"
orbit attestation inspect attestation.jsonl

**获取JSON格式结果用于脚本处理:**
所有命令都支持`-o json`输出机器可读的结果:
```bash
orbit attestation verify ./my-binary --bundle att.json -o json | jq '.signer'
查询是谁签名了某个制品:
bash
orbit attestation inspect bundle.json -o json | jq '.signer'
严格校验签名者身份进行验证:
bash
orbit attest verify ./artifact --bundle bundle.json \
  --owner my-org \
  --repo my-org/my-repo \
  --signer-identity "github.com/my-org/my-repo/.github/workflows/release.yml"

Important Notes

重要说明

  • Sigstore format — Attestation bundles follow the Sigstore bundle specification. Verification uses the in-toto attestation format with SLSA provenance predicates.
  • Digest algorithms — Supported algorithms are 
    sha256
    (default) and 
    sha512
    . Use 
    --digest-algorithm
    to specify.
  • Profile for download — The 
    download
    command requires a profile with GitHub access (
    -p <profile>
    ) since it fetches bundles from GitHub repositories. The 
    --repo
    flag is required.
  • Local-only commands — The 
    verify
    and 
    inspect
    commands work with local files and do not require a profile or network access (unless fetching a bundle).
  • Output formats — All commands support 
    -o json
    and 
    -o yaml
    for structured output suitable for scripting and CI pipelines.
  • Sigstore格式 —— 证明包遵循Sigstore包规范。验证过程使用带有SLSA来源断言的in-toto证明格式。
  • 摘要算法 —— 支持的算法包括
    sha256
    (默认)和
    sha512
    ,可通过
    --digest-algorithm
    指定。
  • 下载功能所需配置文件 —— 
    download
    命令需要带有GitHub访问权限的配置文件(
    -p <配置文件>
    ),因为它从GitHub仓库拉取包,且
    --repo
    标志位是必填项。
  • 仅本地运行的命令 —— 
    verify
    inspect
    命令仅处理本地文件,不需要配置文件或网络访问(除非需要拉取包)。
  • 输出格式 —— 所有命令都支持
    -o json
    -o yaml
    输出结构化结果,适合脚本处理和CI流水线使用。