Verify Vendor Packs

Prerequisites

epack installed
A .epack file from your vendor

Verify integrity and signature

Check that the pack hasn't been tampered with:

epack verify vendor.epack

Require a signature from a specific identity:

            epack verify vendor.epack \
  --issuer "https://accounts.google.com" \
  --subject "security@vendor.com"
          

Expected output

✓ Verification passed

  Artifacts:     12 verified
  Attestations:  1 valid
    Signer: security@vendor.com
    Issuer: https://accounts.google.com

For CI-generated packs, verify the GitHub Actions workflow identity:

            epack verify vendor.epack \
  --issuer "https://token.actions.githubusercontent.com" \
  --subject "repo:vendor/evidence:ref:refs/heads/main"
          

Inspect pack contents

See metadata and artifact list:

epack inspect vendor.epack

Expected output

Evidence Pack: vendor.epack

  Stream:       vendor/security/prod
  Pack Digest:  sha256:7f3a8b2c...
  Generated At: 2025-02-20T14:30:00Z

Sources
  epack-collector-github v1.2.0
  epack-collector-aws v1.1.0

Artifacts (12)
  artifacts/github-repos.json       2.1 KB
  artifacts/github-branch-rules.json  847 B
  artifacts/aws-iam-summary.json    1.4 KB
  ...

Attestations (1)
  Signer: security@vendor.com
  Issuer: https://accounts.google.com

List just the artifacts:

epack list artifacts vendor.epack

Extract artifacts

Extract all artifacts to a directory:

epack extract vendor.epack ./review/

Extract a specific artifact:

epack extract vendor.epack ./review/ --artifact artifacts/github-repos.json

Compare two releases

See what changed between releases:

epack diff q1.epack q2.epack

Expected output

Comparing q1.epack → q2.epack

+ artifacts/mfa-report.json       (added)
~ artifacts/branch-rules.json     (modified)
- artifacts/old-policy.pdf        (removed)

Summary: 1 added, 1 modified, 1 removed

Show content differences:

epack diff q1.epack q2.epack --content

Merge multiple packs

Combine packs from multiple vendors:

            epack merge combined.epack vendor-a.epack vendor-b.epack \
  --stream internal/all-vendors
          

Machine-readable output

Get JSON output for scripting:

            epack inspect vendor.epack --json
epack verify vendor.epack --json
epack diff q1.epack q2.epack --json
          

CLI Reference: verify — All flags and options
Concepts: Trust levels — Unsigned, signed, verified
Verify packs in CI — Automate verification

Verify integrity and signature

Inspect pack contents

Extract artifacts

Compare two releases

Merge multiple packs

Machine-readable output

Related