Skip to main content
VOIDFORGE
← Tutorial Hub

VERIFY PROVENANCE

Cryptographic proof the forge built this

The hero on the landing page promises SLSA provenance signed in sigstore's transparency log. Promises are cheap. Proof is what matters. Here is how you verify — in thirty seconds, from your own terminal.

Kenobi avatarKenobi

WHY VERIFY

A provenance attestation is a signed statement that says: “This exact tarball was built by this exact workflow from this exact commit.” When you verify it, you're confirming that the code that ended up on your laptop came through the public VoidForge build pipeline — not from a compromised maintainer laptop, not injected by an intermediate registry, not tampered with.

The signature is anchored in sigstore's public transparency log, so every signature is append-only and third-party auditable.

NPM AUDIT SIGNATURES

The simplest check. Install first, then ask npm to verify the attestation on every package in your tree.

$ npm install voidforge-build
$ npm audit signatures

Requires npm 9.5+. A passing run prints something like verified registry signatures and verified attestations. If you see the latter, the package was built from the VoidForge repo by the VoidForge workflow.

INSPECT THE ATTESTATION

Want to see the raw attestation? Ask npm for the package metadata and pull the dist.attestations field.

$ npm view voidforge-build --json | jq '.dist.attestations'

You'll get a JSON blob that points at the attestation bundle URL and the predicate type (https://slsa.dev/provenance/v1). Pin a specific version by appending @<version> to the package name.

THE SIGSTORE TRANSPARENCY LOG

Every attestation gets a log index in sigstore's public transparency log. Browse them at search.sigstore.dev — search by package name, workflow, or the email of the signer (which, for GitHub Actions, is the workflow identity, not a human).

The log is append-only and publicly replicated, so if an attestation was ever issued, it's there forever. That is what makes the “cryptographic proof” claim load-bearing and not just marketing copy.

TROUBLESHOOTING

NPM TOO OLD

npm audit signatures requires npm 9.5 or later. Upgrade with npm install -g npm@latest and re-run.

NO ATTESTATION REPORTED

If npm audit signatures only mentions registry signatures and not attestations, the package in your tree may be too old — provenance was added in v23.9.2+ (see release history). Reinstall with npm install voidforge-build@latest and re-audit.

AIRGAPPED / PROXY REGISTRIES

Private mirrors may strip attestations when proxying from upstream npmjs.org. If your team runs one, ask your registry admin to preserve the dist.attestations field, or verify the package from a clean environment connected to the public registry.