·
0 commits
to master
since this release
🎉 wasmsign2 WebAssembly Components Release
📦 What's Included
Component Library (WIT Interface):
wasmsign2-component.wasm- WebAssembly component library with WIT bindingswasmsign2-component.wasm.sha256- SHA256 checksum- Signed OCI artifact:
ghcr.io/pulseengine/wasmsign2:
CLI Tool (WASI Binary):
wasmsign2-cli.wasm- WASI command-line tool for Wasmtimewasmsign2-cli.wasm.sha256- SHA256 checksum- Signed OCI artifact:
ghcr.io/pulseengine/wasmsign2:-cli
🔐 Security Features
- ✅ OCI Artifact Signing - Signed with Cosign using GitHub OIDC (keyless)
- ✅ SLSA Provenance - Build attestation included
- ✅ SHA256 Checksums - For download verification
🚀 Usage
Download WASM Component
# Download and verify checksum
TAG=
wget https://github.com/pulseengine/wasmsign2/releases/download/${TAG}/wasmsign2.wasm
wget https://github.com/pulseengine/wasmsign2/releases/download/${TAG}/wasmsign2.wasm.sha256
sha256sum -c wasmsign2.wasm.sha256Pull Signed OCI Artifact
TAG=
# Pull the signed OCI artifact with oras
oras pull ghcr.io/pulseengine/wasmsign2:${TAG}
# Verify signature with Cosign
cosign verify \
--certificate-identity-regexp="https://github.com/pulseengine/wasmsign2" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
ghcr.io/pulseengine/wasmsign2:${TAG}
# Verify SLSA provenance
cosign verify-attestation \
--type slsaprovenance \
--certificate-identity-regexp="https://github.com/pulseengine/wasmsign2" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
ghcr.io/pulseengine/wasmsign2:${TAG}🔍 Verification
All releases are:
- Built in GitHub Actions with full transparency
- Signed with Cosign using keyless signing (GitHub OIDC)
- Attested with SLSA provenance
- Checksummed with SHA256
📚 Documentation
See README.md for usage details.