● zegit · proves
CRA & compliance
Every release tag can become a CRA Evidence Bundle — a signed, Annex I–mapped, offline-verifiable archive. This is the differentiator: compliance falls out of working well.
The EU Cyber Resilience Act
The CRA — Regulation (EU) 2024/2847 — applies to products with digital elements placed on the Union market. It demands secure-by-design practices, vulnerability handling and coordinated disclosure, incident reporting on tight clocks, conformity assessment with technical documentation, SBOMs and provenance, and a declared support period. CI logs and PR approvals don't satisfy a conformity assessment; zegit produces evidence that does.
Not legal advice — and not yet certified
The bundle format and Annex I mapping currently carry "CRA Expert Review status: PENDING." They have not been reviewed by a notified body or CRA expert and must not be treated as final or as legal advice.
The Evidence Bundle
A bundle is generated at Tag Request finalization (and re-generatable on demand) by zg evidence bundle. It is a signed ZIP whose top-level manifest.json is DSSE-signed with your login certificate and ties everything together.
# produce a bundle for a release, diffed against the previous tag
zg evidence bundle --tag v1.0.0 --prev v0.9.0 --sbom sbom.json --out v1.0.0.zip
# verify it offline against only the Root CA
zg evidence verify-bundle v1.0.0.zip --trust-root /etc/zegit/root.crt --jsonWhat's inside
| Path | Contents |
|---|---|
manifest.json | DSSE-signed top-level manifest tying the bundle together. |
tag.json | The tag ref + signed-tag verification material. |
tr.json | The Tag Request record and every approval (cert chain + passkey-touch attestation). |
aovs/<sha>.dsse | Every AoV for every commit since the previous tag. |
policy/ | The effective policy snapshot — ZEGITFILE, .zegit/config.yaml, policy packs. |
sbom/ | Ingested SBOMs (syft / CycloneDX / SPDX), verbatim and normalized. |
vulns/ | Ingested vulnerability scan reports. |
cra-annex-i.pdf | A human-readable summary mapped to CRA Annex I, with "your responsibility" slots. |
Offline verification
zg evidence verify-bundle re-verifies every signature using only the Root CA and the bundle's own contents — no network call, which is what makes it usable in an air-gapped audit. It reports per-commit AoV coverage, the TR quorum and approvers, and a verdict. Tampering yields ZG_ERR_BUNDLE_TAMPERED or ZG_ERR_SIGNATURE_INVALID and a non-zero exit.
Archive the pair
Store the bundle ZIP and the Root CA certificate together. That pair is self-contained: it verifies years later with no live infrastructure.
Runner image tiers
The honest gap in a v1 AoV — that it doesn't prove the validation executed as claimed — is closed progressively by attested runner images:
| Tier | What it adds | Status |
|---|---|---|
| Tier 1 · Community | Signed image + SBOM + baseline scan. | shipping |
| Tier 2 · Verified | Hardening, patch SLA, reproducible inputs, runner-signed AoVs. | phase 2 |
| Tier 3 · Assessed | Notified-body assessment. | phase 3 |
SOC 2
SOC 2 is a later phase (Type I, then Type II). zegit builds SOC-friendly controls from day one but makes no early audit claim.
Authoritative reference, generated from the component repos. Spot something stale? Tell us.