NAME¶

gh-release-verify-asset - Verify that a given asset originated from a release

SYNOPSIS¶

gh release verify-asset [<tag>] <file-path> [flags]

DESCRIPTION¶

Verify that a given asset file originated from a specific GitHub Release using cryptographically signed attestations.

An attestation is a claim made by GitHub regarding a release and its assets.

	This command checks that the asset you provide matches a valid attestation for the specified release (or the latest release, if no tag is given).

It ensures the asset's integrity by validating that the asset's digest matches the subject in the attestation and that the attestation is associated with the release.

OPTIONS¶

--format <string>

Output format: {json}

-q, --jq <expression>

Filter JSON output using a jq expression

-t, --template <string>

Format JSON output using a Go template; see "gh help formatting"

OPTIONS INHERITED FROM PARENT COMMANDS¶

-R, --repo <[HOST/]OWNER/REPO>

Select another repository using the [HOST/]OWNER/REPO format

EXIT CODES¶

0: Successful execution

1: Error

2: Command canceled

4: Authentication required

NOTE: Specific commands may have additional exit codes. Refer to the command's help for more information.

EXAMPLE¶

# Verify an asset from the latest release
$ gh release verify-asset ./dist/my-asset.zip
# Verify an asset from a specific release tag
$ gh release verify-asset v1.2.3 ./dist/my-asset.zip
# Verify an asset from a specific release tag and output the attestation in JSON format
$ gh release verify-asset v1.2.3 ./dist/my-asset.zip --format json

Source file:	gh-release-verify-asset.1.en.gz (from gh 2.82.1-1.1)
Source last updated:	2025-10-23T07:11:27Z
Converted to HTML:	2025-11-02T03:22:26Z