nself verify-sbom

Verify the cosign-signed Software Bill of Materials for an nSelf CLI release. Used by enterprise customers for supply-chain compliance and artifact provenance.

Quick start

# Verify the SBOM for the current installed version
nself verify-sbom

# Verify a specific release tag
nself verify-sbom v1.1.0

# Verify and output the SBOM contents as JSON
nself verify-sbom v1.1.0 --json

Synopsis

nself verify-sbom [<release-tag>] [FLAGS]

Description

Every nSelf CLI release ships with a Software Bill of Materials (SBOM) in CycloneDX JSON format, signed with cosign using keyless signing via Sigstore's public Rekor transparency log. This gives you a cryptographically verifiable record of every Go module, direct dependency, and transitive dependency bundled in the binary.

nself verify-sbom downloads the SBOM and its cosign bundle for the given release tag, verifies the signature against Sigstore's public key infrastructure, checks the inclusion proof in the Rekor transparency log, and prints a verification summary. If any step fails, it exits non-zero with a clear error message explaining what went wrong.

If you omit the release tag, the command uses the currently installed CLI version (output of nself version --short).

Arguments

Flags

What is verified

1. Signature validity — the cosign bundle matches the SBOM file bytes; the certificate chain roots to Sigstore's public CA.
2. Rekor inclusion proof — the entry exists in the Rekor transparency log and the inclusion proof is cryptographically valid.
3. Certificate identity — the signing certificate was issued to the nSelf CI/CD pipeline identity (GitHub Actions OIDC), not an arbitrary key.
4. Release tag match — the SBOM's recorded version matches the tag you requested.

SBOM format

SBOMs are in CycloneDX JSON format (spec version 1.5). Each component entry includes:

• Module path and version (Go module coordinates)
• License identifier (SPDX)
• Package URL (pkg:golang/...)
• Hash (SHA-256) of the module zip at the recorded version

Examples

Verify the installed version

nself verify-sbom
# Verifying SBOM for v1.1.0...
# ✓ Signature valid
# ✓ Rekor inclusion proof verified (log index: 192847362)
# ✓ Certificate identity: https://github.com/nself-org/cli/.github/workflows/release.yml@refs/tags/v1.1.0
# ✓ SBOM version matches release tag
#
# Verification: PASSED

Save the SBOM to a file for audit records

nself verify-sbom v1.1.0 --output /tmp/nself-v1.1.0.sbom.json
# Verification: PASSED
# SBOM written to /tmp/nself-v1.1.0.sbom.json

Check all Go module licenses in the SBOM

nself verify-sbom v1.1.0 --json   | jq '[.components[] | {name: .name, version: .version, license: .licenses[0].license.id}]'

Verify in an air-gapped environment with a private Rekor instance

nself verify-sbom v1.1.0 --rekor-url https://rekor.internal.example.com

Where to find SBOM artifacts

Every GitHub release at github.com/nself-org/cli/releases includes:

• nself-{version}-sbom.cyclonedx.json — the SBOM
• nself-{version}-sbom.cyclonedx.json.cosign.bundle — the cosign signature bundle

nself verify-sbom downloads these automatically. For manual download, use the GitHub release page or the GitHub API.

Exit codes

• 0 — verification passed
• 1 — signature invalid or Rekor proof failed
• 2 — release tag not found or SBOM artifact missing
• 3 — network error fetching artifacts or Rekor

Related

• nself version — show the installed CLI version
• nself release-status — show running version vs latest across artifacts
• cosign documentation