Supply Chain Security

Every Sentinel release is signed, attested, and ships with a full software bill of materials. Know exactly what you're deploying.

Sentinel sits at the edge of your network. Every request flows through it. That position demands verifiable trust in the software you deploy. We provide cryptographic proof of provenance for every release artifact.

Releases are identified by CalVer (YY.MM_PATCH, e.g., 26.01_0). This is the version you'll see in download URLs, Docker tags, and verification commands below. Enterprise LTS branches are designated by their CalVer series.

Signed Releases

Every binary is signed with Sigstore cosign using keyless signing tied to our GitHub Actions OIDC identity. No private keys to rotate or leak.

cosign verify-blob \
  --bundle sentinel.tar.gz.bundle \
  --certificate-identity-regexp \
    "github.com/raskell-io/sentinel" \
  --certificate-oidc-issuer \
    "https://token.actions.githubusercontent.com" \
  sentinel.tar.gz

Software Bill of Materials

Every release includes machine-readable SBOMs in both CycloneDX 1.5 and SPDX 2.3 formats listing all dependencies, versions, and licenses. Scan them with your existing vulnerability tooling.

# Scan SBOM for vulnerabilities
grype sbom:sentinel-sbom.cdx.json

Container Images

OCI images on GHCR are signed with cosign and include an SBOM attestation. Verify image authenticity before pulling into your cluster.

cosign verify \
  ghcr.io/raskell-io/sentinel:VERSION \
  --certificate-identity-regexp \
    "github.com/raskell-io/sentinel" \
  --certificate-oidc-issuer \
    "https://token.actions.githubusercontent.com"

SLSA Provenance

All release artifacts include SLSA v1.0 provenance attestations generated by the SLSA GitHub Generator, achieving SLSA Build Level 3.

slsa-verifier verify-artifact \
  sentinel.tar.gz \
  --provenance-path sentinel.tar.gz.intoto.jsonl \
  --source-uri github.com/raskell-io/sentinel

Transparency Log

All signing events are recorded in the Sigstore transparency log (Rekor). Signing is publicly auditable and tamper-evident.

Build from Source

Sentinel is fully open source. Build from source and compare checksums against published releases to independently verify reproducibility.

git clone https://github.com/raskell-io/sentinel
cd sentinel && cargo build --release
sha256sum target/release/sentinel

What ships with each release

Artifact	Format	Purpose
`sentinel-VERSION-PLATFORM.tar.gz`	Binary archive	Pre-built binary for each platform
`*.tar.gz.sha256`	SHA-256 checksum	Integrity verification
`*.tar.gz.bundle`	Sigstore bundle	Cosign signature + certificate + Rekor entry
`*-sbom.cdx.json`	CycloneDX 1.5	Software bill of materials
`*-sbom.spdx.json`	SPDX 2.3	Software bill of materials
`*.intoto.jsonl`	SLSA provenance	Build provenance attestation (SLSA v1.0)

Detailed verification guide

For step-by-step verification procedures, CI/CD integration examples, and compliance documentation, see the operator guide.

Operator Guide View Releases