Tutorial

Quickstart

Build, sign, and verify your first Evidence Pack.

Prerequisites

  • macOS or Linux
  • Homebrew or Go 1.26+

Install epack

Terminal
brew install locktivity/tap/epack

Or with Go:

go install -tags components github.com/locktivity/epack/cmd/epack@v0.1.31

Create a project

Terminal
epack new my-project
cd my-project
Project structure 
my-project/
├── epack.yaml      # Configuration
├── sample.epack    # Demo pack to explore
└── packs/          # Output directory

The project includes a sample.epack you can explore immediately, plus a managed .gitignore that keeps runtime .epack/ state out of git while reserving .epack/hooks/ for committed customization.

Explore the sample pack

Inspect the pack contents:

Terminal
epack inspect sample.epack
Expected output 
Evidence Pack: sample.epack

  Stream:        demo/sample/quickstart
  Pack Digest:   sha256:7395a655...

Artifacts (3)
  artifacts/compliance.json    623 B
  artifacts/dependencies.json  394 B
  artifacts/system-info.json   179 B

Attestations (0)
  none

Each artifact has a SHA-256 digest. This is what makes packs tamper-evident.

Verify integrity

Verify that the pack hasn't been tampered with:

Terminal
epack verify sample.epack
Expected output 
✓ Verification passed

  Artifacts:     3 verified
  Attestations:  none

Build your own pack

Create some evidence files and build a pack:

Terminal
echo '{"mfa_enabled": true}' > security.json
epack build my-evidence.epack security.json --stream myorg/security
Expected output 
✓ Built my-evidence.epack
  Stream: myorg/security
  Artifacts: 1

Sign the pack

Add a cryptographic signature using Sigstore:

Terminal
epack sign my-evidence.epack
Expected output 
Opening browser for authentication...
✓ Signed my-evidence.epack
  Signer: you@example.com
  Issuer: https://accounts.google.com

This uses keyless signing. No keys to manage. You authenticate with Google, GitHub, or Microsoft.

Verify with identity

Verify the signature and enforce who signed it:

Terminal
epack verify my-evidence.epack \
  --issuer "https://accounts.google.com" \
  --subject "you@example.com"
Expected output 
✓ Verification passed

  Artifacts:     1 verified
  Attestations:  1 valid
    Signer: you@example.com
    Issuer: https://accounts.google.com
🎉

You did it!

You've built, signed, and verified your first Evidence Pack.

What you learned

  • epack new creates a project with a sample pack
  • epack inspect shows pack contents and digests
  • epack verify checks integrity and signatures
  • epack build creates a pack from files
  • epack sign adds a Sigstore attestation

Next steps

Tutorial

Build a Collector

Automate evidence gathering

 Reference

CLI Reference

All commands and flags

 Concept

Trust Levels

Understand unsigned, signed, verified

 Guide

CI/CD Integration

Automate pack generation