clearhash@verifier — v0.1 · MIT · ● ready

supply-chain integrity verifier — rebuild every package, compare every byte, block every tamper.

==>

clearhash info · case CLH-26

classification
open · public · MIT
subject
Supply-chain integrity (npm · PyPI · Cargo)
method
rebuild ✕ compare against attested source commit
rate-limit
30 req/min global, /inspect endpoint
==>

inspect a package

$clearhash verify
[ OK ]attestation verified resolved → latestFulcio leaf cert · Rekor transparency-log entry · workflow URI cross-checked against source repo.
packagenpm:@sigstore/sign@5.0.0
registry sha-256
source repo
commit
builderhttps://github.com/actions/runner/github-hosted
cert issuerO=sigstore.dev, CN=sigstore-intermediate
workflow
rekor index1697019854

==> json · GET /api/inspect?package=npm:@sigstore/sign