Provenance Registry Artifact Attestation

ARTIFACT

aureliasrs/api:3.1.0-amd64

Published: 2026-01-12 10:15 UTC

OCI Image Details

Type OCI Image

Platform linux/amd64

Size 150 MB

SLSA Level SLSA 3

Verify Image

# Pull by digest (immutable reference)
docker pull aureliasrs/api:3.1.0-amd64@sha256:img001234567890abcdef1234567890abcdef1234567890abcdef1234567890ab

# Verify with cosign
cosign verify aureliasrs/api:3.1.0-amd64@sha256:img001234567890abcdef1234567890abcdef1234567890abcdef1234567890ab

SLSA Provenance

SLSA Level

SLSA 3

Builder Level: 3

Digests

Content-addressed checksums for verifying artifact integrity.

sha256

img001234567890abcdef1234567890abcdef1234567890abcdef1234567890ab

sha512

img512001234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890ab

blake3

imgblk001234567890abcdef1234567890abcdef1234567890abcdef1234567890

Verify Locally

# Download artifact
curl -O https://artifacts.patterneddesigns.ca/container-images/v3.1.0/aureliasrs/api:3.1.0-amd64

# Verify SHA-256
sha256sum aureliasrs/api:3.1.0-amd64
# Expected: img001234567890abcdef1234567890abcdef1234567890abcdef1234567890ab

Signatures & Trust

Cryptographic signatures binding this artifact to publisher identities.

AureliaSRS Primary Key

pgp 2026-01-12

Key ID

4096R/ABCD1234

Fingerprint

1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234 5678

Key Locations:

Signature

Verify Signature

# Import key
gpg --keyserver keys.openpgp.org --recv-keys 4096R/ABCD1234

# Verify signature
gpg --verify signature.asc artifact.tar.gz

AureliaSRS Backup Key

pgp 2026-01-12

Key ID

2048R/WXYZ9876

Fingerprint

9876 5432 10FE DCBA 9876 5432 10FE DCBA 9876 5432

Key Locations:

https://keys.openpgp.org/vks/v1/by-fingerprint/987654321FEDCBA987654321FEDCBA9876543210

Signature

Verify Signature

# Import key
gpg --keyserver keys.openpgp.org --recv-keys 2048R/WXYZ9876

# Verify signature
gpg --verify signature.asc artifact.tar.gz

External Attestations

Sigstore Rekor transparency-log

Container image logged in Sigstore Rekor transparency log

Trivy Security Scanner vulnerability-scan

No critical or high vulnerabilities detected

Cosign image-signature

Container signature verified via Cosign

Provenance

Build metadata and supply chain context for this artifact.

Builder

Docker Buildx

OS: v0.12.1

View Build

Build System

Type: github-actions

Workflow: .github/workflows/docker-build.yaml

Commit: 7c6d5e4f

Repository

Build Metadata

Started: 2026-01-12 09:50

Completed: 2026-01-12 10:10

Reproducible: Yes

Software Bill of Materials

Format: cyclonedx

Digest: sha256:sbomimg001234...

Download SBOM

Signing System

Type: gpg

Key Management: hardware-security-module

Jurisdiction: Canada

Jurisdiction

Build Location: ca-central-1 (AWS Canada)

Data Residency: Canada

Legal Entity: AureliaSRS Inc.

Verification

Verification Passed

Digest Verified: ✓

Signature Verified: ✓

Attestations Verified: ✓

Last Verified: 2026-01-16 06:00 UTC

Method: automated

View Verification Log

Verification results are derived and informational. Always perform independent verification using the signatures and digests above.

← All Releases JSON Spec