Release assets/artifacts are not signed using project Sigstore technology, which issues certificates containing details about the subject to whom the certificate is issues amongst others. You can start by inspecting the certificate used to sign your artifact of choice. The certificates are base64 encoded, so you first have to base64 decode it to receive the pem file. In the example, we'll work with the caddy_2.6.0_checksums.txt
artifact and assume *nix environemnt.
Start by downloading the the 3 files pertaining to your artifact of choice (i.e. <the artifact>
which is the actual artifact whose companion signature and certs are to be verified, <the artifact>.sig
which is the signature of the artifact, and <the artifact>.pem
is the certificate descending from the root cert by Fulcio by Sigstore). Then base64 decode the downloaded .pem
file to the armored version:
base64 -d < caddy_2.6.0_checksums.txt.pem > cert.pem