GitHub Artifact Attestations

GitHub's Artifact Attestations feature - currently in public beta - allows for the creation of a tamper-proof, unforgeable paper trail linking build artifacts to the process which created it. Artifact Attestations is powered by Sigstore, an open source project for signing and verifying software artifacts.

Artifact Attestations is disabled by default in cargo-dist, and can be enabled by setting github-attestations = true

Note that GitHub's Artifact Attestations only supports public repositories and private repositories of an organization with the GitHub Enterprise plan. In the case of public repositories, attestations generated by GitHub Actions will be written to the Sigstore Public Good Instance and end up on Rekor, Sigstore's immutable ledger, for public verification.

Currently, verification of GitHub Artifact Attestations is only supported via GitHub CLI with gh attestation verify.