Skip to content

Verify release-artifact provenance in fetch-circuit-artifacts.ts #62

Description

@collinsadi

scripts/fetch-circuit-artifacts.ts downloads the zkey and WASM from a GitHub release and checks the SHA-256 against the manifest, but there is no release-signature or provenance check binding the artifact to a known publisher or source commit. We should record the producing commit SHA in the artifact manifest and verify a GPG or GitHub attestation signature on the release before accepting downloads.

Acceptance criteria

  • The fetch fails if the provenance or signature does not match the manifest.
  • The provenance fields are documented in artifacts/README.md.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Official CampaignPart of the official campaignmediumMedium prioritysecurity-hardeningDefensive hardening (non-blocking)toolingScripts and tooling

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions