> ## Documentation Index > Fetch the complete documentation index at: https://docs.manthan.systems/llms.txt > Use this file to discover all available pages before exploring further. # Release Verification > Verify the Parmana runtime release manifest ## What a release manifest is The release manifest (`artifacts/release-manifest.json`) describes the governance server's own identity its version, binary hash, and compilation provenance. Every attestation includes a `releaseManifestHash` the SHA-256 of this file. Verifying the release manifest proves that the runtime itself was built from a known, signed release. *** ## Release manifest structure ```json theme={null} { "runtimeVersion": "1.0.0", "runtimeHash": "sha256:c9d4e5f...", "buildTimestamp": "2024-01-10T00:00:00.000Z", "capabilities": ["execute", "verify", "audit"], "supportedSchemaVersions": ["1.0.0"], "releaseId": "parmana-server-1.0.0-20240110" } ``` `artifacts/release-manifest.sig` contains the Ed25519 signature over the canonical JSON of this file. *** ## Using verifyExecutionRequirements Verifies that an attestation's runtime requirements are satisfied by a given manifest: ```typescript theme={null} import { verifyExecutionRequirements, LocalVerifier, } from "@parmanasystems/core"; import fs from "node:fs"; const publicKey = fs.readFileSync("trust/root.pub", "utf8"); const verifier = new LocalVerifier(publicKey); const releaseManifest = JSON.parse( fs.readFileSync("artifacts/release-manifest.json", "utf8") ); const releaseSignature = fs.readFileSync("artifacts/release-manifest.sig", "utf8"); const result = verifyExecutionRequirements( { supportedRuntimeVersions: [releaseManifest.runtimeVersion], supportedSchemaVersions: releaseManifest.supportedSchemaVersions, }, releaseManifest, verifier ); console.log(result.valid); // true ``` *** ## Matching release manifest hash to attestation ```typescript theme={null} import crypto from "node:crypto"; import { canonicalize } from "@parmanasystems/core"; const releaseManifestHash = crypto .createHash("sha256") .update(canonicalize(releaseManifest), "utf8") .digest("hex"); if (attestation.releaseManifestHash !== releaseManifestHash) { throw new Error( "Release manifest hash mismatch attestation may be from a different release" ); } ``` *** ## CLI verification ```bash theme={null} npx @parmanasystems/verifier-cli verify-release \ --manifest artifacts/release-manifest.json \ --signature artifacts/release-manifest.sig \ --public-key trust/root.pub ``` Expected output: ``` ✓ Release manifest signature verified runtimeVersion: 1.0.0 runtimeHash: sha256:c9d4e5f... releaseId: parmana-server-1.0.0-20240110 ``` *** ## Expected result A successful release verification confirms: 1. The `artifacts/release-manifest.sig` is a valid Ed25519 signature over the canonical manifest JSON 2. The manifest was signed by a key that traces to the trust root 3. The `runtimeVersion` and `runtimeHash` in the manifest match the values embedded in attestations produced by this runtime *** ## Troubleshooting **Release manifest signature invalid** The manifest was modified after signing, or the wrong public key is being used. Contact the team that distributed the release. **`releaseManifestHash` mismatch between attestation and file** The attestation was produced by a different release than the one at `artifacts/release-manifest.json`. Either the runtime was updated since the attestation was produced, or the release manifest was replaced. Obtain the release manifest from the same release that produced the attestation.