Security
The Arconia CLI releases are signed, their provenance is attested via SLSA (Build Level 3), and an SBOM is provided. This page describes how to verify all three aspects of supply chain security for the Arconia CLI.
PGP
All Arconia CLI release artifacts are signed with PGP. Follow these steps to verify the authenticity of the downloads.
-
Download the Arconia CLI public key and save it as
arconia.asc. -
Verify the key fingerprint matches the following:
$ gpg --show-keys arconia.asc
pub ed25519 2026-01-10 [SC] [expires: 2028-01-10]
7DF66939ADCE2CF84244C4A5E8CD1A1C72CAFA26
uid Thomas Vitale (MavenCentral) <oss@************.io>
sub cv25519 2026-01-10 [E] [expires: 2028-01-10]-
Import the public key into your GPG keyring:
$ gpg --import arconia.asc-
Download the Arconia CLI binary archive and its corresponding signature file from the desired release. For example:
-
arconia-cli-0.9.8-SNAPSHOT-linux-amd64.zip -
arconia-cli-0.9.8-SNAPSHOT-linux-amd64.zip.asc.
-
-
Verify the signature against the downloaded binary:
$ gpg --verify arconia-cli-0.9.8-SNAPSHOT-linux-amd64.zip.asc arconia-cli-0.9.8-SNAPSHOT-linux-amd64.zip
gpg: Signature made Fri Feb 20 00:40:11 2026 CET
gpg: using EDDSA key E8CD1A1C72CAFA26
gpg: Good signature from "Thomas Vitale (MavenCentral) <oss@************.io>" [ultimate]A successful verification will display "Good signature" in the output, confirming the authenticity and integrity of the downloaded binary.
SLSA
Every Arconia CLI release includes SLSA provenance attestations for all release artifacts. Follow these steps to verify the provenance.
-
Install the slsa-verifier tool
-
Download the SLSA provenance attestation file from the desired release. Example:
arconia-cli-0.9.8-SNAPSHOT.intoto.jsonl. -
Download the corresponding Arconia CLI binary archive from the same release. Example:
arconia-cli-0.9.8-SNAPSHOT-linux-amd64.zip. -
Use the slsa-verifier to verify the SLSA provenance attestation against the binary:
$ slsa-verifier verify-artifact arconia-cli-0.9.8-SNAPSHOT-linux-amd64.zip \
--provenance-path arconia-cli-0.9.8-SNAPSHOT.intoto.jsonl \
--source-uri github.com/arconia-io/arconia-cliA successful verification will output a message similar to:
Verified signature against tlog entry index 971655809 at URL: https://rekor.sigstore.dev/api/v1/log/entries/108e9186e8c5677a7142a6a01d5b7c643a29670e0997ffa69885b31eea405d483b3284cd643b5e85
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0" at commit 60ba307923212448e37903fdcfd6371503efa1ba
Verifying artifact arconia-cli-0.9.8-macos-aarch64.zip: PASSED
PASSED: SLSA verification passedThis process ensures the authenticity and integrity of the Arconia CLI release artifacts.
SBOM
Every Arconia CLI release includes a comprehensive CycloneDX Software Bill of Materials (SBOM) for all release artifacts. The SBOM provides a detailed inventory of components, libraries, and dependencies used in the Arconia CLI, enhancing transparency, security, and compliance efforts.
To access and review the SBOM for a specific release:
-
Visit the Arconia CLI releases page on GitHub.
-
Download the binary archive for your desired release and platform. Example:
arconia-cli-0.9.8-SNAPSHOT-linux-amd64.zip. -
Extract the contents of the archive to a local directory.
-
Locate the file named
sbom.cdx.jsonwithin the extracted directory. This JSON file contains the comprehensive SBOM for the release.
You can use various SBOM analysis tools to examine the sbom.cdx.json file and gain valuable insights into the components and dependencies of the Arconia CLI. Some recommended tools include:
-
OWASP Dependency-Track: An intelligent component analysis platform that allows you to identify and reduce risk in your software supply chain.
-
Trivy: A comprehensive and versatile security scanner for containers and other artifacts.
By reviewing the SBOM, you can better understand the composition of the Arconia CLI, identify potential vulnerabilities, and ensure compliance with licensing requirements.