| GH-RELEASE-VERIFY-ASSET(1) | GitHub CLI manual | GH-RELEASE-VERIFY-ASSET(1) |
NAME
gh-release-verify-asset - Verify that a given asset originated from a release
SYNOPSIS
gh release verify-asset [<tag>] <file-path> [flags]
DESCRIPTION
Verify that a given asset file originated from a specific GitHub Release using cryptographically signed attestations.
An attestation is a claim made by GitHub regarding a release and its assets.
This command checks that the asset you provide matches a valid attestation for the specified release (or the latest release, if no tag is given).
It ensures the asset's integrity by validating that the asset's digest matches the subject in the attestation and that the attestation is associated with the release.
OPTIONS
- --format <string>
- Output format: {json}
- -q, --jq <expression>
- Filter JSON output using a jq expression
- -t, --template <string>
- Format JSON output using a Go template; see "gh help formatting"
OPTIONS INHERITED FROM PARENT COMMANDS
- -R, --repo <[HOST/]OWNER/REPO>
- Select another repository using the [HOST/]OWNER/REPO format
EXIT CODES
0: Successful execution
1: Error
2: Command canceled
4: Authentication required
NOTE: Specific commands may have additional exit codes. Refer to the command's help for more information.
EXAMPLE
# Verify an asset from the latest release $ gh release verify-asset ./dist/my-asset.zip # Verify an asset from a specific release tag $ gh release verify-asset v1.2.3 ./dist/my-asset.zip # Verify an asset from a specific release tag and output the attestation in JSON format $ gh release verify-asset v1.2.3 ./dist/my-asset.zip --format json
SEE ALSO
| Oct 2025 |