Skip to main content
Fabro publishes SLSA Build Provenance attestations for every release tarball and the multi-arch Docker image. Attestations are signed via Sigstore and recorded in the public transparency log, so you can verify that an artifact was built by our GitHub Actions workflow from a specific commit in fabro-sh/fabro before you run it.
Provenance proves where and how an artifact was built. It does not vouch for the correctness or security of the source code itself — only that what you downloaded was built by our workflow from the commit it claims.

Prerequisites

Install the GitHub CLI and authenticate: 
gh auth login

Verify a binary tarball

Download the tarball for your platform from the releases page, then: 
gh attestation verify fabro-aarch64-apple-darwin.tar.gz --repo fabro-sh/fabro
A successful verification prints Loaded digest … followed by ✓ Verification succeeded! and details of the matched attestation.

Verify the Docker image

The attestation is attached to the image in GHCR, so no separate download is needed: 
gh attestation verify oci://ghcr.io/fabro-sh/fabro:<version> --repo fabro-sh/fabro
Replace <version> with the release version (e.g. 0.207.0) or use latest / nightly.

Homebrew installs

The fabro-sh/tap Homebrew formula verifies a SHA-256 checksum against each tarball Homebrew downloads, so there is no separate attestation step to run at install time. If you want provenance verification for a Homebrew-installed release, download the matching tarball from the releases page and run gh attestation verify against it.