@simon I understand what this does, but I don’t understand the value of it. It provides validation that the build happened on MS’s server and that they used used a specific checkout. But if builds are not reproducible (eg: use unchecksumed external resources), this guarantees nothing. If builds are properly reproducible, what value does the attestation add?