Skip to main content

Toolchain Verification

The toolchain.verification section controls how Atmos verifies downloaded toolchain packages before extraction and installation.

Configuration

By default, Atmos verifies packages when registry metadata provides checksums, signatures, or attestations. Packages without verification metadata can still install.

atmos.yaml
toolchain:
  verification:
    checksums: when_available
    signatures: when_available
    verifier_install: auto

Options

checksums

Controls checksum verification for downloaded packages. Supported values:

  • when_available verifies checksums when registry metadata provides them. This is the default.
  • required fails installation when checksum metadata is missing or verification fails.
  • disabled skips checksum verification.
signatures

Controls signature and attestation verification for downloaded packages. Supported values:

  • when_available verifies signatures and attestations when registry metadata provides them. This is the default.
  • required fails installation when signature metadata is missing or verification fails.
  • disabled skips signature and attestation verification.
verifier_install

Controls how external verifier CLIs are resolved. Supported values:

  • auto installs supported verifier CLIs through Atmos toolchain when they are not already on PATH. This is the default.
  • path_only requires verifier CLIs to already be available on PATH.

Verification Methods

Atmos supports Aqua-compatible verification metadata for package downloads.

Checksums
Verifies downloaded assets with sha256, sha512, sha1, or md5 checksum files before extraction.
cosign
Runs cosign verify-blob for Sigstore signatures and bundles.
slsa_provenance
Runs slsa-verifier verify-artifact for SLSA provenance metadata.
github_artifact_attestations
Runs gh attestation verify. This requires the GitHub CLI (gh) on PATH, or verifier_install: auto so Atmos can install cli/cli through the toolchain.
minisign
Runs minisign -Vm for Minisign signatures.

Strict Verification

Use required policies when every package must provide verification metadata:

atmos.yaml
toolchain:
  verification:
    checksums: required
    signatures: required
    verifier_install: path_only

With this configuration, installation fails when checksum metadata is missing, signature or attestation metadata is missing, a verifier CLI is missing from PATH, or verification fails.