Explanation

Concepts

Key concepts for using the epack CLI and Go SDK. Understand the security model, trust levels, and how remotes work.

Security Model

How epack build, sign, and verify use SHA-256 digests and Sigstore to protect pack integrity.

Read more →

Trust Levels

Choose the right epack verify flags: integrity-only, require signatures, or enforce specific identities.

Read more →

Remotes

Configure epack push to upload packs to registries. Adapters, authentication, and versioning.

Read more →

Quick Reference

Verification Flags

  • --integrity-only — digests only
  • --require-attestation — must be signed
  • --issuer — require specific OIDC issuer
  • --subject — require specific signer

Signing

  • epack sign pack.pack — interactive
  • EPACK_OIDC_TOKEN=... — CI/CD mode
  • Signatures logged to Rekor

Pushing

  • epack push <remote> pack.pack
  • --label — add release labels
  • --env — target environment

Looking for background and motivation?

Learn why Evidence Packs exist and the problems they solve at evidencepack.org.

Visit evidencepack.org →
New to epack? Check out the Get Started tutorial for a guided walkthrough.