Integrity Verification

Qlty publishes cryptographic attestations for all CLI releases, allowing you to verify that the binary you downloaded was built by Qlty and hasn’t been tampered with. These attestations are powered by Sigstore and published as GitHub artifact attestations.

How it works

When we release a new version of the Qlty CLI, our GitHub Actions workflow:

1. Builds the CLI binaries for each supported platform
2. Generates a cryptographic attestation for each build artifact
3. Publishes the attestations to GitHub’s attestation store

These attestations cryptographically prove that the binary was built from our official repository using our CI/CD pipeline.

Verifying the CLI

You can verify the integrity of any Qlty CLI release using the GitHub CLI (gh).

Example (macOS Apple Silicon):

$
# Download the archive from https://github.com/qltysh/qlty/releases
$
curl -LO https://github.com/qltysh/qlty/releases/latest/download/qlty-aarch64-apple-darwin.tar.xz
$
$
# Verify the attestation
$
gh attestation verify --owner qltysh qlty-aarch64-apple-darwin.tar.xz
$
$
# Unpack and install
$
tar -xJf qlty-aarch64-apple-darwin.tar.xz
$
sudo mv qlty-aarch64-apple-darwin/qlty /usr/local/bin/

For other platforms, download the appropriate archive from GitHub releases.

Successful verification

A successful verification will display output similar to:

Loaded digest sha256:abc123... for file qlty-aarch64-apple-darwin.tar.xz
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

This confirms the binary was signed by GitHub Actions and built from the official Qlty repository.

Learn more

• GitHub artifact attestations documentation
• Sigstore
• Qlty CLI releases