Recipe

Build provenance attestation

Cryptographically bind your Meridian loader build to a specific commit, timestamp, and signing identity so every shipped binary carries verifiable origin metadata.

Prerequisites

Meridian CLI v2.4+ installed and authenticated
Ed25519 signing keypair generated via meridian keygen
Git repository with clean working tree

Step 1 — Collect build inputs

Meridian captures the full build environment fingerprint: git commit SHA, toolchain version, linker flags, and all source file hashes. Run the snapshot command from your project root.

meridian snapshot --output build-inputs.json

Step 2 — Sign the manifest

The snapshot manifest is signed with your Ed25519 private key, producing a detached signature that can be distributed alongside the binary.

meridian attest --manifest build-inputs.json --key meridian.key

Step 3 — Embed in payload

The attestation bundle is embedded into the PE resource section during the final link stage. Use the --attestation flag.

meridian build --attestation attestation.bundle --output nimbus.dll

Verification

Any consumer can verify provenance without trusting the distributor. The public key is pinned in the license envelope.

meridian verify --binary nimbus.dll --pubkey meridian.pub

Next: Recipe: IAT integrity guard →