CLI reference
verify
Verify an artifact or its full parent chain. Exit 0 = clean. Exit 1 = failed.
Usage
treeship verify <artifact-id> [OPTIONS]What the verifier checks
- Derives expected artifact ID from
sha256(PAE_bytes)[..16] - Compares against stored ID -- tampering detected immediately
- Verifies Ed25519 signature
- Validates statement schema
- Walks parent chain recursively
- Enforces
action.approvalNonce == approval.nonceif present - Checks approval expiry
Options
| Option | Description |
|---|---|
--no-chain | Verify only this artifact, do not walk the parent chain |
--max-depth <N> | Maximum chain depth to walk (default: 20) |
--full | Show full chain timeline with box-drawn cards |
--format json | Global flag. Output as JSON instead of text |
Examples
treeship verify art_f7e6d5c4treeship verify art_f7e6d5c4 --fulltreeship verify art_f7e6d5c4 --format json{
"outcome": "pass",
"total": 3,
"passed": 3,
"failed": 0,
"checks": [
{ "id": "art_a1b2c3d4", "outcome": "pass", "reason": null },
{ "id": "art_e5f6a7b8", "outcome": "pass", "reason": null },
{ "id": "art_f7e6d5c4", "outcome": "pass", "reason": null }
]
}treeship verify release.treeshipUse --format json in CI pipelines. Pipe the output to jq -e '.outcome == "pass"' for a clean pass/fail gate.
Use in CI
# .github/workflows/verify.yml
- name: Verify deployment chain
run: |
treeship verify $ARTIFACT_ID --format json | jq -e '.outcome == "pass"'