attestation
Installation
SKILL.md
Attestation with orbit CLI
Verify, download, and inspect build provenance attestations using Sigstore bundles with in-toto attestation format and SLSA provenance predicates. This feature supports supply chain security by letting you confirm artifact origin, signer identity, and build metadata.
Prerequisites
orbitCLI installed — ifwhich orbitfails, install with:- macOS/Linux (Homebrew):
brew install jorgemuza/tap/orbit - macOS/Linux (script):
curl -sSfL https://raw.githubusercontent.com/jorgemuza/orbit/main/install.sh | sh - Windows (Scoop):
scoop bucket add jorgemuza https://github.com/jorgemuza/scoop-bucket && scoop install orbit
- macOS/Linux (Homebrew):
- A Sigstore attestation bundle (
.jsonlor.json) for the artifact you want to verify or inspect - For
download: a profile with a GitHub service configured (attestation bundles are fetched from GitHub)
Quick Reference
All commands follow the pattern: orbit attestation <command> [arguments] [flags]
Alias: orbit attest <command> [arguments] [flags]