audr
github

/security

audr is a security tool. The site that distributes it has to behave like one.

Release signing

Every audr release is signed via cosign (sigstore keyless mode). There is no static public key to pin: the signer is identified by an OIDC certificate proving the binary was built by audr's GitHub Actions release workflow, and the signature is attested via the public sigstore Rekor transparency log. The audr verify subcommand and standalone cosign verify-blob both check this. 

# Audr uses sigstore keyless signing — there is no static pubkey to pin.
# The signing identity is the GitHub Actions workflow at
# github.com/harshmaur/audr/.github/workflows/release.yml@<tag>, attested
# via the public sigstore Rekor transparency log.
#
# Verify a downloaded tarball yourself:
audr verify audr-v0.14.41-linux-arm64.tar.gz
#   → checks SHA-256 against SHA256SUMS
#   → if cosign is on PATH, also verifies the sigstore signature and
#     asserts the cert identity matches the audr release workflow
#
# Or use cosign directly:
cosign verify-blob \
  --bundle audr-v0.14.41-linux-arm64.tar.gz.sig \
  --certificate-identity-regexp 'https://github.com/harshmaur/audr/' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  audr-v0.14.41-linux-arm64.tar.gz

security.txt

The canonical machine-readable security contact lives at /.well-known/security.txt per RFC 9116.

Vulnerability disclosure

Email harshmaur@gmail.com with reproduction steps and (where possible) a proof-of-concept. We aim to acknowledge in 24 hours and ship a fix before public disclosure when the issue affects shipped audr versions. Coordinated disclosure is welcome; do not exploit beyond what is needed to demonstrate the issue.

Privacy

audr.dev does not run third-party analytics. No Google Analytics. No Segment. No advertising networks. The page makes no third-party network requests.

The audr install script sends one inferable signal: when invoked from audr.dev, the user-agent of the tarball download contains from=audr.dev so we can attribute the install funnel. Disable it with AUDR_NO_REFERRER=1.

Browser support

Last 2 versions of Chrome, Safari, Firefox, Edge. Safari 14+ minimum (WASM). The dev path (curl … | sh) works regardless of browser.