Verifying the integrity of a release

You can avoid tampering and accidental changes by ensuring the releases you use have not been modified after publication.

Tool navigation

In this article

Note

Immutable releases are currently in public preview and subject to change.

Prerequisites

Before you can validate the authenticity of a release and its assets on the command line, you need to install the GitHub CLI.

Verifying immutable releases and local artifacts

  1. On the command line, open the repository containing the release you want to verify.

  2. To verify a release exists and is immutable, run the following command:

    Bash
    gh release verify RELEASE-TAG

  3. To verify a local artifact is an exact match for a release asset, run the following command:

    Bash
    gh release verify-asset RELEASE-TAG ARTIFACT-PATH

    Note

    This command cannot be used to verify the source code zip file or tarball for a release, since these assets are only created when a download is requested.

  1. On GitHub, navigate to the main page of the repository.

  2. To the right of the list of files, click Releases.

    Screenshot of the main page of a repository. A link, labeled "Releases", is highlighted with an orange outline.

  3. To the left of the release you want to verify, below the release author, confirm that " Immutable" is present.