LaunchDarkly uses GitHub artifact attestations to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
LaunchDarkly publishes provenance about our SDK package builds using GitHub's actions/attest action. These attestations are stored in GitHub's attestation API and can be verified using the GitHub CLI.
To verify build provenance attestations, we recommend using the GitHub CLI attestation verify command. Example usage for verifying SDK packages is included below:
# Set the version of the SDK to verify
SDK_VERSION=0.2.0
# Download gem
$ gem fetch launchdarkly-openfeature-server-sdk -v $SDK_VERSION
# Verify provenance using the GitHub CLI
$ gh attestation verify launchdarkly-openfeature-server-sdk-${SDK_VERSION}.gem --owner launchdarkly
Below is a sample of expected output.
Loaded digest sha256:... for file://launchdarkly-openfeature-server-sdk-0.1.0.gem
Loaded 1 attestation from GitHub API
The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/launchdarkly
- Subject Alternative Name must match regex: (?i)^https://github.com/launchdarkly/
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
✓ Verification succeeded!
The following 1 attestation matched the policy criteria
- Attestation #1
- Build repo:..... launchdarkly/openfeature-ruby-server
- Build workflow:. .github/workflows/release-please.yml
- Signer repo:.... launchdarkly/openfeature-ruby-server
- Signer workflow: .github/workflows/release-please.yml
For more information, see GitHub's documentation on verifying artifact attestations.
Note: These instructions do not apply when building our SDKs from source.