Bundle format

Signing & verification.

Today’s production trust model is hash verification plus GitHub-linked publisher identity and compiler version metadata. Signature-based provenance is a future upgrade, not current behavior.

01 · section

What is real today

Do not overstate this layer: current packages are hash-verified and tied to a registry user backed by GitHub login. They are not yet Sigstore-signed in production.

GitHub-backed publisher identity
Compiler version on each package version
Hash-oriented package verification model
Install counts tracked on real install requests only

02 · section

What comes later

If you want stronger provenance later, signature-based verification can layer on top of the current model. But the current docs should describe the product as it exists today.

related guides

Keep going

Trust model Manifest schema Bundle layout

Back to docs Compiler source