16 , supply chain

Artifact Integrity and SBOM

Supply-chain controls make governance artifacts verifiable end to end. Policies, binaries, manifests, and compliance exports should be treated as security-critical artifacts with integrity proofs, not as informal files passed between systems. Faramesh includes primitives for SBOM generation, detached signatures, manifest validation, and build metadata verification.

The objective is not only to detect tampering, but to prove artifact lineage during audits and incident response. When a policy or binary changes unexpectedly, you need to answer: where did it come from, who signed it, and does it match the expected release manifest? These commands provide that evidence path.

Baseline verification flow

Adopt this order in CI to reduce blind spots:

Generate an SBOM

Emit CycloneDX JSON for this binary and dependencies.

faramesh sbom > faramesh.cdx.json

Sign and verify artifacts

Use Ed25519 keys for detached signature workflows.

faramesh sign file --private-key ./ed25519-private.pem --file ./policy.yaml --output policy.sig.b64

faramesh verify signature --public-key ./ed25519-public.pem --file ./policy.yaml --signature ./policy.sig.b64

Manifest integrity checks

Build and verify SHA-256 manifests for release artifacts.

faramesh verify manifest-generate --base-dir . --output manifest.json ./policy.yaml ./bundle.tar.gz

faramesh verify manifest manifest.json --base-dir .

Build reproducibility metadata

Emit buildinfo and compare against expected fingerprint in CI.

faramesh verify buildinfo --emit > buildinfo.json

faramesh verify buildinfo buildinfo.json

Compliance bundle export

Create deterministic compliance evidence from DPR WAL.

faramesh compliance export --wal /var/lib/faramesh/dpr.wal --out compliance-bundle.json

Common supply-chain gaps

These gaps repeatedly appear in post-incident analysis: