Releases · ballerina-platform/ballerina-distribution

Ballerina uses sigstore/cosign for signing and verifying the release artifacts. The artifacts of the latest Ballerina Swan Lake update release along with their verification files are listed below.

Platform	Installer	Certificate	Signature
Linux DEB	ballerina-2201.9.5-swan-lake-linux-x64.deb	ballerina-2201.9.5-swan-lake-linux-x64.deb.pem	ballerina-2201.9.5-swan-lake-linux-x64.deb.sig
Linux RPM	ballerina-2201.9.5-swan-lake-linux-x64.rpm	ballerina-2201.9.5-swan-lake-linux-x64.rpm.pem	ballerina-2201.9.5-swan-lake-linux-x64.rpm.sig
macOS	ballerina-2201.9.5-swan-lake-macos-x64.pkg	ballerina-2201.9.5-swan-lake-macos-x64.pkg.pem	ballerina-2201.9.5-swan-lake-macos-x64.pkg.sig
macOS ARM	ballerina-2201.9.5-swan-lake-macos-arm-x64.pkg	ballerina-2201.9.5-swan-lake-macos-arm-x64.pkg.pem	ballerina-2201.9.5-swan-lake-macos-arm-x64.pkg.sig
Windows	ballerina-2201.9.5-swan-lake-windows-x64.msi	ballerina-2201.9.5-swan-lake-windows-x64.msi.pem	ballerina-2201.9.5-swan-lake-windows-x64.msi.sig

You can use one of the methods below to verify the above artifacts.

Verify using the Cosign CLI

Below is an example of using the Cosign CLI to verify the release artifacts of the MacOS platform.

Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.

Follow the steps below to verify the artifacts using the Cosign CLI.

Download the desired artifact from the table above.

Execute the command below to verify the artifacts.

$ cosign verify-blob ballerina-2201.9.5-swan-lake-macos-x64.pkg --certificate ballerina-2201.9.5-swan-lake-macos-x64.pkg.pem --signature ballerina-2201.9.5-swan-lake-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/2201.9.x --certificate-oidc-issuer=https://token.actions.githubusercontent.com

If the artifact matches the one signed by Cosign, you will receive the following message.

Verified OK

Verify using the Rekor API

The signatures applied on the Ballerina release artifacts are recorded in Rekor, which is a Sigstore Transparency Log. Below is an example of using the Rekor API to verify the release artifacts of the MacOS platform.

Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.

Follow the steps below to send an API call to Rekor to retrieve and verify the details of the signature and the certificate chain.

Download the desired artifact from the table above.

Generate an SHA256 Hash for the artifact and store it in a variable.

$ SHASUM=$(shasum -a 256 ballerina-2201.9.5-swan-lake-macos-x64.pkg |awk '{print $1}')

Invoke the Rekor API to retrieve the entry of the signature and store it as the UUID value.

$ curl -X POST -H "Content-type: application/json" 'https://rekor.sigstore.dev/api/v1/index/retrieve' --data-raw "{\"hash\":\"sha256:$SHASUM\"}"

Assign the UUID returned by the above API call to a variable as shown below.

Tip: Replace the <UUID_VALUE> in the below exmaple with the UUID value you recieved
```
$ UUID=<UUID_VALUE>
```
Retrieve the log entry of the artifact signature by sending an API call to Rekor with the assigned UUID variable.
```
 $ curl -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}"
```

Retrieve the signature and public certificate, which are required to verify the artifact.

Retrieve the signature:

$ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" | jq -r '.[] | .body' | base64 -d |jq -r '.spec .signature .content' | base64 -d > ballerina-2201.9.5-swan-lake-macos-x64.pkg.sig

Retrieve the certificate:

$ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}"  | jq -r '.[] | .body' | base64 -d |jq -r '.spec .signature .publicKey .content'  | base64 -d > ballerina-2201.9.5-swan-lake-macos-x64.pkg.crt

Extract the public key from the certificate file using openssl.

$ openssl x509 -in ballerina-2201.9.5-swan-lake-macos-x64.pkg.crt -noout -pubkey > ballerina-2201.9.5-swan-lake-macos-x64.pkg.pubkey.crt

Verify the artifact using the public key.

$ openssl sha256 -verify ballerina-2201.9.5-swan-lake-macos-x64.pkg.pubkey.crt -signature ballerina-2201.9.5-swan-lake-macos-x64.pkg.sig ballerina-2201.9.5-swan-lake-macos-x64.pkg

If the artifact matches the one signed by Cosign, you will receive the following message.

Verified OK

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Verify using the Cosign CLI

Verify using the Rekor API

Releases: ballerina-platform/ballerina-distribution

2201.11.0-bi-pack-20241108-080100

2201.11.0-bi-pack-20241106-160200

2201.11.0-bi-pack-20241106-080100

2201.9.5

Verify using the Cosign CLI

Verify using the Rekor API

2201.9.5-rc1

2201.11.0-bi-pack-20241104-215300

2201.11.0-bi-pack-20241104-205300

2201.11.0-bi-pack-20241104-170900

2201.11.0-bi-pack-20241103-080500

2201.11.0-bi-pack-20241031-080300