Skip to main content

What a release manifest is

The release manifest (artifacts/release-manifest.json) describes the governance server’s own identity its version, binary hash, and compilation provenance. Every attestation includes a releaseManifestHash the SHA-256 of this file. Verifying the release manifest proves that the runtime itself was built from a known, signed release.

Release manifest structure

{
  "runtimeVersion": "1.0.0",
  "runtimeHash": "sha256:c9d4e5f...",
  "buildTimestamp": "2024-01-10T00:00:00.000Z",
  "capabilities": ["execute", "verify", "audit"],
  "supportedSchemaVersions": ["1.0.0"],
  "releaseId": "parmana-server-1.0.0-20240110"
}
artifacts/release-manifest.sig contains the Ed25519 signature over the canonical JSON of this file.

Using verifyExecutionRequirements

Verifies that an attestation’s runtime requirements are satisfied by a given manifest: 
import {
  verifyExecutionRequirements,
  LocalVerifier,
} from "@parmanasystems/core";
import fs from "node:fs";

const publicKey       = fs.readFileSync("trust/root.pub", "utf8");
const verifier        = new LocalVerifier(publicKey);
const releaseManifest = JSON.parse(
  fs.readFileSync("artifacts/release-manifest.json", "utf8")
);
const releaseSignature = fs.readFileSync("artifacts/release-manifest.sig", "utf8");

const result = verifyExecutionRequirements(
  {
    supportedRuntimeVersions: [releaseManifest.runtimeVersion],
    supportedSchemaVersions: releaseManifest.supportedSchemaVersions,
  },
  releaseManifest,
  verifier
);

console.log(result.valid); // true

Matching release manifest hash to attestation

import crypto from "node:crypto";
import { canonicalize } from "@parmanasystems/core";

const releaseManifestHash = crypto
  .createHash("sha256")
  .update(canonicalize(releaseManifest), "utf8")
  .digest("hex");

if (attestation.releaseManifestHash !== releaseManifestHash) {
  throw new Error(
    "Release manifest hash mismatch attestation may be from a different release"
  );
}

CLI verification

npx @parmanasystems/verifier-cli verify-release \
  --manifest artifacts/release-manifest.json \
  --signature artifacts/release-manifest.sig \
  --public-key trust/root.pub
Expected output: 
✓ Release manifest signature verified
  runtimeVersion: 1.0.0
  runtimeHash: sha256:c9d4e5f...
  releaseId: parmana-server-1.0.0-20240110

Expected result

A successful release verification confirms:
  1. The artifacts/release-manifest.sig is a valid Ed25519 signature over the canonical manifest JSON
  2. The manifest was signed by a key that traces to the trust root
  3. The runtimeVersion and runtimeHash in the manifest match the values embedded in attestations produced by this runtime

Troubleshooting

Release manifest signature invalid The manifest was modified after signing, or the wrong public key is being used. Contact the team that distributed the release. releaseManifestHash mismatch between attestation and file The attestation was produced by a different release than the one at artifacts/release-manifest.json. Either the runtime was updated since the attestation was produced, or the release manifest was replaced. Obtain the release manifest from the same release that produced the attestation.