Verify the artefact you downloaded

Trust, but verify — four layers, six commands.

Every release ships with SHA-256, GPG, cosign and a SLSA L3 in-toto attestation. Below are the exact commands an auditor will run.

1 · SHA-256 integrity

$ sha256sum echad-os-1.0.0-amd64.iso
a8f94c8a7c2c1d3b9e8f0a5c2d4e6f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e  echad-os-1.0.0-amd64.iso
$ curl -s https://os.echad.tech/dl/SHA256SUMS | grep amd64
a8f94c8a7c2c1d3b9e8f0a5c2d4e6f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e  echad-os-1.0.0-amd64.iso

2 · GPG signature (release@parousia.tech)

$ curl -fsSL https://os.echad.tech/dl/parousia-release.asc | gpg --import
$ curl -fsSL https://os.echad.tech/dl/SHA256SUMS.asc -o SHA256SUMS.asc
$ gpg --verify SHA256SUMS.asc SHA256SUMS
gpg: Good signature from "Parousia Group · ECHAD OS Release <release@parousia.tech>"

3 · Cosign signature (keyless · Fulcio + Rekor)

$ cosign verify-blob \
    --certificate-identity "release@parousia.tech" \
    --certificate-oidc-issuer "https://accounts.parousia.tech" \
    --signature echad-os-1.0.0-amd64.iso.sig \
    --certificate echad-os-1.0.0-amd64.iso.pem \
    echad-os-1.0.0-amd64.iso
Verified OK

4 · SLSA L3 attestation

$ slsa-verifier verify-artifact \
    --provenance-path echad-os-1.0.0-amd64.intoto.jsonl \
    --source-uri parousia.tech/echad-os \
    --source-tag v1.0.0 \
    echad-os-1.0.0-amd64.iso
PASSED: SLSA verification