scripts/fetch-circuit-artifacts.ts downloads the zkey and WASM from a GitHub release and checks the SHA-256 against the manifest, but there is no release-signature or provenance check binding the artifact to a known publisher or source commit. We should record the producing commit SHA in the artifact manifest and verify a GPG or GitHub attestation signature on the release before accepting downloads.
Acceptance criteria
- The fetch fails if the provenance or signature does not match the manifest.
- The provenance fields are documented in
artifacts/README.md.
scripts/fetch-circuit-artifacts.tsdownloads the zkey and WASM from a GitHub release and checks the SHA-256 against the manifest, but there is no release-signature or provenance check binding the artifact to a known publisher or source commit. We should record the producing commit SHA in the artifact manifest and verify a GPG or GitHub attestation signature on the release before accepting downloads.Acceptance criteria
artifacts/README.md.