Release verification
Every Vidai binary is signed. Verify before you run.
A public signing key lets you confirm a binary you've downloaded came from us and has not been altered. The mechanism today is cosign; the principle does not depend on the tool. This page is the canonical entry point.
Our public signing key
The canonical URL, in plain text.
Fetch the key from the address below. Reference this URL in your release-verification scripts, your internal tooling, and any third-party reproducibility check. Do not accept the key from any other source.
https://vidai.uk/.well-known/cosign.pubIf anything tells you the Vidai signing key lives somewhere else — a tweet, a GitHub gist, an email from us — that thing is wrong. The only canonical location is the URL above on this domain.
Key fingerprint, SHA-256
A second trust anchor.
If you have a copy of the key from anywhere — a release tarball, a build pipeline, a colleague — compute its SHA-256 fingerprint and compare against the value below. Two channels confirming the same bytes is stronger than one.
0eba bf29 90d8 0953 8326 9054 a9dc ed58 a604 3608 9974 1abd 9b16 a88a 87b4 631cComputed over the DER form of the public key — the same form openssl and cosign print. Reproduce with: openssl pkey -pubin -in cosign.pub -outform DER | openssl dgst -sha256
How to verify
The principle is the same; the command lives with the artefact.
Each release artefact ships with its own VERIFY.md (or an equivalent verification section in the artefact's README) describing the exact steps for that artefact. Signature shapes differ — a release blob, a container image and an attestation are each verified slightly differently — so the authoritative command is the one that ships with the artefact you downloaded, not a command on this page.
The principle is constant. In every case:
- Fetch the public key from the canonical URL above.
- Confirm its fingerprint matches the value on this page.
- Point your verification tool at the key and the artefact you downloaded.
- Run the command from the artefact's VERIFY.md.
- Accept the artefact only if verification succeeds.
Coverage today
What this key signs.
As of May 2026, this key signs the Vidai Server binary. The signed-artefact set will grow as the registry infrastructure expands — container images, attestations and additional release components are on the path. Each release's notes state explicitly which files are signed and how, so a reader can always confirm whether the artefact in their hand is in scope.
Key rotation
The URL is stable; the key behind it can change.
If we rotate the signing key, the URL above stays the same, the bytes behind it change, and the new fingerprint is published on this page. Downstream tooling should fetch the key fresh per verification rather than cache it indefinitely. If caching is unavoidable, expire on a short TTL.
Rotation events also appear in the security.txt file alongside the contact details.
When in doubt
Email us.
If a key, fingerprint, signature or artefact looks wrong, or if you can't find the verification step for an artefact you have, email [email protected]. Coordinated disclosure terms and the latest contact details are at /.well-known/security.txt.
Walk through a release with us.
A 20-minute walkthrough: what we sign, how we sign it, and how your team verifies in CI.