Verification¶

comver supports release verification by:

Comparing the current configuration to the one used when calculating the version.
Validating that the commit SHA matches the one from the release.

Why verify?¶

This process ensures that the release being calculated is generated with the same configuration and from the same Git tree as the previous one.

As a result, you can be confident that neither the Git history nor the versioning settings have changed since the last release was generated.

Obtaining data¶

To retrieve the current version, commit SHA, and the configuration checksum, run:

comver calculate --sha --checksum

This command outputs three space-separated values:

<VERSION> <SHA> <CHECKSUM>

Iti s recommended to store this output (e.g. attach it to the GitHub release ⧉) for later verification.

To get the output in a machine-readable format, add --format=json (also better for storing):

comver calculate --sha --checksum --format=json

This will return a JSON-formatted result, ideal for automation.

Verifying¶

To verify a previously published release, run:

comver verify <VERSION> <SHA> <CHECKSUM>

Warning

comver verify will return a non-zero exit code and an error message if any discrepancy is found.

If you’ve saved the output as a .json file (e.g., input.json), you can automate the verification using the script below (requires jq):

#!/bin/bash

json=$(cat input.json)

# Parse fields using jq
version=$(echo "$json" | jq -r '.version')
sha=$(echo "$json" | jq -r '.sha')
checksum=$(echo "$json" | jq -r '.checksum')

# Call baz with the arguments in order: version, sha, checksum
comver verify "${version}" "${sha}" "${checksum}"

This method is especially useful when running verification in a CI pipeline.