Skip to content

UD2025.44

Latest
Latest

Choose a tag to compare

View all tags
@Maxim-Doronin Maxim-Doronin released this 19 Nov 23:29
· 2 commits to develop since this release
Immutable release. Only release title and notes can be modified.
npu_ud_2025_44_rc1
a934b15
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Supported platforms

Release notes

The UD2025.44 Release Notes have been published as part of the Intel® NPU Windows Driver release notes, including the integrated NPU Compiler component.

Dependencies

NPU Linux Driver

The following driver version was used for NPU Compiler UD2025.44 Continuous Integration.

The following driver version contains NPU Compiler UD2025.44 as a binary component

Artifacts Information and supply-chain security

Click to expand

📦 Artifacts Information

This release provides three CiD (Compiler-in-Driver) binary packages for integration into the NPU Driver on the following platforms:

  • Windows 11
  • Ubuntu 22.04
  • Ubuntu 24.04

To ensure end-to-end supply-chain security, both the release and each individual artifact are protected by multiple integrity guarantees:

  • Digital signatures via Sigstore Cosign — any modification to a signed artifact invalidates the signature.
  • GitHub artifact provenance attestations — each artifact is accompanied by a build-provenance attestation published on the repository’s attestations page.
  • Immutable GitHub Release — the release tag and all assets are permanently locked after publication and cannot be modified, replaced, or deleted.

All commands below work on any platform. On Windows (CMD/PowerShell), simply replace the line-continuation symbol \ with ^.

🔐 Cosign Digital Signatures

Cosign provides cryptographic verification of both the artifact content and the associated Rekor entry. Together, these systems guarantee that each artifact originates exactly from this repository’s CI pipeline and has not been modified post-publication and allow anyone to validate that this artifact was produced by the official GitHub Actions workflow for this repository.
Each release artifact includes a signature bundle named:

<artifact>.sigstore.json

This bundle contains:

  • A Sigstore Fulcio certificate. Fulcio issues a short-lived signing certificate that binds the signature to the GitHub Actions workflow identity.
  • A Rekor transparency log entry. Rekor stores the transparency log record, ensuring the signature is publicly auditable and cannot be altered.
  • Signature metadata (SCT, inclusion proof, signature, etc.)

Verify the Signature Online

You can verify the published transparency-log record using:

https://search.sigstore.dev/?hash=<sha256>

To get the <sha256> digest, use the Copy SHA256 button next to any release asset in the GitHub release UI.

Verify the Signature Locally

  1. Install Cosign
    Follow the official guide: https://docs.sigstore.dev/cosign/system_config/installation
  2. Download the files
    • <artifact_name>
    • <artifact_name>.sigstore.json
  3. Run the verification 
    cosign verify-blob \
    --bundle <artifact_name>.sigstore.json \
    --certificate-identity https://github.com/openvinotoolkit/npu_compiler/.github/workflows/job_build_cid.yml@refs/tags/npu_ud_2025_44_rc1 \
    --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
    <artifact_name>
    Note: On Windows, the Cosign executable may be named differently (for example, cosign-windows-amd64.exe). Adjust the command accordingly when running verification.
  4. Successful verification 
    Verified OK

🧾 GitHub Release Asset Attestations (Build Provenance)

GitHub automatically generates a build-provenance attestation for each artifact created by GitHub Actions.

These attestations confirm:

  • Which workflow built the artifact
  • Which commit and tag were used
  • That the artifact content matches the workflow output exactly

Verify Attestation Locally

  1. Install & authenticate GitHub CLI
    Installation: https://cli.github.com/
    Login:

    gh auth login

  2. Verify the artifact attestation

    gh attestation verify <artifact_name> \
  --repo openvinotoolkit/npu_compiler \
  --source-ref refs/tags/npu_ud_2025_44_rc1 \
  --signer-workflow "github.com/openvinotoolkit/npu_compiler/.github/workflows/job_build_cid.yml@refs/tags/npu_ud_2025_44_rc1"

  3. Successful verification

    The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/openvinotoolkit
- Source Repository URI must match:......... https://github.com/openvinotoolkit/npu_compiler
- Source repo ref must match:............... refs/tags/npu_ud_2025_44_rc1
- Subject Alternative Name must match regex: ^https://github.com/openvinotoolkit/npu_compiler/.github/workflows/job_build_cid.yml@refs/tags/npu_ud_2025_44_rc1
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... openvinotoolkit/npu_compiler
  - Build workflow:. .github/workflows/job_build_cid.yml@refs/tags/npu_ud_2025_44_rc1
  - Signer repo:.... openvinotoolkit/npu_compiler
  - Signer workflow: .github/workflows/job_build_cid.yml@refs/tags/npu_ud_2025_44_rc1

🛡️ Immutable GitHub Release Verification

Immutable Releases ensure that neither the release tag nor the associated assets can be changed after publication. This prevents supply-chain tampering and increases long-term auditability.

Verify the Integrity of the Release itself

  1. Install & authenticate GitHub CLI 
    gh auth login
  2. Verify the immutable release 
    gh release verify \
  --repo openvinotoolkit/npu_compiler \
  npu_ud_2025_44_rc1
  3. Successful verification
    GitHub CLI confirms that the release is immutable and the attestation is valid 
     Resolved tag npu_ud_2025_44_rc1 to sha1:a934b15d7494c4961afd51cf6c896b15d1fabd8c
 Loaded attestation from GitHub API
 ✓ Release npu_ud_2025_44_rc1 verified!
 
 Assets
 NAME                                                                                                                                                 DIGEST
 l_vpux_compiler_l0_linux_ubuntu_22_04-7_4_3-Release_dyntbb_postcommit_cid_a934b15d7494c4961afd51cf6c896b15d1fabd8c_251119_2122.tar.gz                sha256:5550c378d21cad5d5ea3d95b07ae565626132abe218d8b09dfbefe43d54ea26c
 l_vpux_compiler_l0_linux_ubuntu_22_04-7_4_3-Release_dyntbb_postcommit_cid_a934b15d7494c4961afd51cf6c896b15d1fabd8c_251119_2122.tar.gz.sigstore.json  sha256:26e87ab8ff67a5eba916b508db381e9091e6676177d0483deee198bbb2558b64
 l_vpux_compiler_l0_linux_ubuntu_24_04-7_4_3-Release_dyntbb_postcommit_cid_a934b15d7494c4961afd51cf6c896b15d1fabd8c_251119_2204.tar.gz                sha256:328059b6af98ac8b97dfaf6d3585381401872239cdc06fdbbc7bf6d449d771a6
 l_vpux_compiler_l0_linux_ubuntu_24_04-7_4_3-Release_dyntbb_postcommit_cid_a934b15d7494c4961afd51cf6c896b15d1fabd8c_251119_2204.tar.gz.sigstore.json  sha256:f4b9bd6752b86ef030ac471ab2b7223a228670cbe0bfeb73e9fd12f4d3516a58
 w_vpux_compiler_l0_win_windows_2022-7_4_3-Release_dyntbb_postcommit_cid_a934b15d7494c4961afd51cf6c896b15d1fabd8c_251119_2122.zip                     sha256:e4ebae74faef881c4fa175c4e88f311fcc0a5da0e2e053af938a49c6ce69238a
 w_vpux_compiler_l0_win_windows_2022-7_4_3-Release_dyntbb_postcommit_cid_a934b15d7494c4961afd51cf6c896b15d1fabd8c_251119_2122.zip.sigstore.json       sha256:8ce7298b79a9f2b461cc2fdf85eb034e87c51e02560e2abd48c5554a4c63de54
Assets 9
Loading