# Toolchain Verification

The `toolchain.verification` section controls how Atmos verifies downloaded toolchain packages before extraction and installation.

## Configuration

By default, Atmos verifies packages when registry metadata provides checksums, signatures, or attestations. Packages without verification metadata can still install.

**File:** `atmos.yaml`

```yaml
toolchain:
  verification:
    checksums: when_available
    signatures: when_available
    verifier_install: auto
```

## Options

- **`checksums`**

  Controls checksum verification for downloaded packages. Supported values:

  when\_available verifies checksums when registry metadata provides them. This is the default.
  required fails installation when checksum metadata is missing or verification fails.
  disabled skips checksum verification.
- **`signatures`**

  Controls signature and attestation verification for downloaded packages. Supported values:

  when\_available verifies signatures and attestations when registry metadata provides them. This is the default.
  required fails installation when signature metadata is missing or verification fails.
  disabled skips signature and attestation verification.
- **`verifier_install`**

  Controls how external verifier CLIs are resolved. Supported values:

  auto installs supported verifier CLIs through Atmos toolchain when they are not already on PATH. This is the default.
  path\_only requires verifier CLIs to already be available on PATH.

## Verification Methods

Atmos supports Aqua-compatible verification metadata for package downloads.

- **Checksums**
  Verifies downloaded assets with 
  `sha256`
  , 
  `sha512`
  , 
  `sha1`
  , or 
  `md5`
   checksum files before extraction.
- **`cosign`**
  Runs 
  `cosign verify-blob`
   for Sigstore signatures and bundles.
- **`slsa_provenance`**
  Runs 
  `slsa-verifier verify-artifact`
   for SLSA provenance metadata.
- **`github_artifact_attestations`**
  Runs 
  `gh attestation verify`
  . This requires the GitHub CLI (
  `gh`
  ) on 
  `PATH`
  , or 
  `verifier_install: auto`
   so Atmos can install 
  `cli/cli`
   through the toolchain.
- **`minisign`**
  Runs 
  `minisign -Vm`
   for Minisign signatures.

## Strict Verification

Use `required` policies when every package must provide verification metadata:

**File:** `atmos.yaml`

```yaml
toolchain:
  verification:
    checksums: required
    signatures: required
    verifier_install: path_only
```

With this configuration, installation fails when checksum metadata is missing, signature or attestation metadata is missing, a verifier CLI is missing from `PATH`, or verification fails.

## Related

- [Toolchain Configuration](/cli/configuration/toolchain) - Configure tool versions, registries, aliases, and verification
- [Toolchain Registries](/cli/configuration/toolchain/registries) - Configure package metadata sources
- [`atmos toolchain install`](/cli/commands/toolchain/install) - Install toolchain packages