Skip to content

Unclear release verification instructions #1065

Open
#1068
Open
Unclear release verification instructions#1065
#1068
Assignees
Mossakacopilot-swe-agent
@kate-goldenring

Description

@kate-goldenring
kate-goldenring
opened on Feb 23, 2026

I am trying to verify the latest wasmtime shim release. The release docs, point to verifying a sample app produced by releases rather than the actual artifact using the provided certificate and signature. I would expect instructions like the following:

# Download release
wget https://github.com/containerd/runwasi/releases/download/containerd-shim-wasmtime%2Fv0.6.0/containerd-shim-wasmtime-aarch64-linux-musl.tar.gz

# Unpack release
$ tar -xvf containerd-shim-wasmtime-aarch64-linux-musl.tar.gz

# Note that there are signature and certificate files
$ ls
-rw-r--r--@ 1 kgoldenr  staff   9067423 May 20  2025 containerd-shim-wasmtime-aarch64-linux-musl.tar.gz
-rwxr-xr-x@ 1 kgoldenr  staff  22408144 May 20  2025 containerd-shim-wasmtime-v1
-rw-------@ 1 kgoldenr  staff      3232 May 20  2025 containerd-shim-wasmtime-v1.pem
-rw-------@ 1 kgoldenr  staff        96 May 20  2025 containerd-shim-wasmtime-v1.sig

# Verify with cosign 
$ cosign verify-blob \
  --certificate containerd-shim-wasmtime-v1.pem \
  --signature containerd-shim-wasmtime-v1.sig \
  --certificate-identity https://github.com/containerd/runwasi/.github/workflows/action-build.yml@refs/heads/main \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  containerd-shim-wasmtime-v1

I also find it strange that the release was signed by the action-build.yml instead of release.yaml and that it points to the one on main rather than a tagged release. I would have expected the following to work:

$ cosign verify-blob --certificate containerd-shim-wasmtime-v1.pem \
--signature containerd-shim-wasmtime-v1.sig \
--certificate-identity  https://github.com/containerd/runwasi/.github/workflows/release.yml@refs/tags/containerd-shim-wasmtime/v0.6.0 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
containerd-shim-wasmtime-v1

Error: none of the expected identities matched what was in the certificate, got subjects [https://github.com/containerd/runwasi/.github/workflows/action-build.yml@refs/heads/main] with issuer https://token.actions.githubusercontent.com
error during command execution: none of the expected identities matched what was in the certificate, got subjects [https://github.com/containerd/runwasi/.github/workflows/action-build.yml@refs/heads/main] with issuer https://token.actions.githubusercontent.com

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions