Fabro publishes SLSA Build Provenance attestations for every release tarball and the multi-arch Docker image. Attestations are signed via Sigstore and recorded in the public transparency log, so you can verify that an artifact was built by our GitHub Actions workflow from a specific commit inDocumentation Index
Fetch the complete documentation index at: https://docs.fabro.sh/llms.txt
Use this file to discover all available pages before exploring further.
fabro-sh/fabro before you run it.
Provenance proves where and how an artifact was built. It does not vouch for the correctness or security of the source code itself — only that what you downloaded was built by our workflow from the commit it claims.
Prerequisites
Install the GitHub CLI and authenticate:Verify a binary tarball
Download the tarball for your platform from the releases page, then:Loaded digest … followed by ✓ Verification succeeded! and details of the matched attestation.
Verify the Docker image
The attestation is attached to the image in GHCR, so no separate download is needed:<version> with the release version (e.g. 0.207.0) or use latest / nightly.
Homebrew installs
Thefabro-sh/tap Homebrew formula verifies a SHA-256 checksum against each tarball Homebrew downloads, so there is no separate attestation step to run at install time. If you want provenance verification for a Homebrew-installed release, download the matching tarball from the releases page and run gh attestation verify against it.