CLI reference
verify
Verify an artifact or its full parent chain. Exit 0 = clean. Exit 1 = failed.
Usage
treeship verify <artifact-id> [OPTIONS]What the verifier checks
- Derives expected artifact ID from
sha256(PAE_bytes)[..16] - Compares against stored ID -- tampering detected immediately
- Verifies Ed25519 signature
- Validates statement schema
- Walks parent chain recursively
- Enforces
action.approvalNonce == approval.nonceif present - Checks approval expiry
Options
| Option | Description |
|---|---|
--no-chain | Verify only this artifact, do not walk the parent chain |
--max-depth <n> | Maximum chain depth to walk (default: 20) |
--format <text|json> | Output format |
Examples
treeship verify art_f7e6d5c4treeship verify art_f7e6d5c4 --format json{
"outcome": "pass",
"chain": 3,
"approver": "human://rezo",
"approval_description": "approve stripe charge max $500",
"checks": [
{ "name": "signature", "outcome": "pass" },
{ "name": "content_id", "outcome": "pass" },
{ "name": "schema", "outcome": "pass" },
{ "name": "nonce_binding", "outcome": "pass" },
{ "name": "approval_expiry", "outcome": "pass" }
]
}treeship verify art_handoff_xyz --trusted-key ./company-a.pemtreeship verify release.treeshipUse --format json in CI pipelines. Pipe the output to jq -e '.outcome == "pass"' for a clean pass/fail gate.
Use in CI
# .github/workflows/verify.yml
- name: Verify deployment chain
run: |
treeship verify $ARTIFACT_ID --format json | jq -e '.outcome == "pass"'