diff --git a/bin/cli.php b/bin/cli.php
new file mode 100755
index 0000000..bd24b22
--- /dev/null
+++ b/bin/cli.php
@@ -0,0 +1,16 @@
+#!/usr/bin/env php
+<?php
+
+declare(strict_types=1);
+
+use Symfony\Component\Console\Application;
+
+// phpcs:ignore Squiz.NamingConventions.ValidVariableName.NotCamelCaps
+include $_composer_autoload_path ?? __DIR__ . '/../vendor/autoload.php';
+
+$application = new Application('Attestation CLI');
+$application->addCommands([
+    new \ThePhpFoundation\Attestation\Command\Verify(),
+]);
+
+$application->run();
diff --git a/composer.json b/composer.json
index 7c97469..8411155 100644
--- a/composer.json
+++ b/composer.json
@@ -6,6 +6,7 @@
         "php": "^7.4||^8.0",
         "ext-json": "*",
         "composer/composer": "^2.2",
+        "symfony/console": "^5.4",
         "webmozart/assert": "^1.11"
     },
     "require-dev": {
diff --git a/composer.lock b/composer.lock
index c5cbc4d..feb72ec 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "23718054fa8c4dd1e5770a3c96d31f9a",
+    "content-hash": "803ef4f4a68a11c619339da061acda60",
     "packages": [
         {
             "name": "composer/ca-bundle",
@@ -4546,5 +4546,5 @@
     "platform-overrides": {
         "php": "7.4.0"
     },
-    "plugin-api-version": "2.6.0"
+    "plugin-api-version": "2.9.0"
 }
diff --git a/src/Command/Verify.php b/src/Command/Verify.php
new file mode 100644
index 0000000..9626c38
--- /dev/null
+++ b/src/Command/Verify.php
@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ThePhpFoundation\Attestation\Command;
+
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use ThePhpFoundation\Attestation\FilenameWithChecksum;
+use ThePhpFoundation\Attestation\Verification\VerifyAttestationWithOpenSsl;
+
+class Verify extends Command
+{
+    protected static $defaultName = 'verify';
+
+    protected function configure(): void
+    {
+        // @todo we should probably make this match https://github.com/sigstore/sigstore-conformance/blob/main/docs/cli_protocol.md#verify
+        $this->addArgument('filename', InputArgument::REQUIRED, 'The filename to verify');
+        $this->addOption('owner', 'o', InputOption::VALUE_REQUIRED, 'The owner to verify against');
+    }
+
+    public function execute(InputInterface $input, OutputInterface $output): int
+    {
+        $file = $input->getArgument('filename');
+        $owner = (string) $input->getOption('owner');
+
+        if ($owner === '') {
+            $output->writeln('Specify owner, e.g. --owner=blah');
+
+            return 1;
+        }
+
+        $output->writeln(sprintf(
+            'Verifying file: <info>%s</info>, for owner <info>%s</info>...',
+            $file,
+            $owner,
+        ));
+
+        $verifier = VerifyAttestationWithOpenSsl::factory();
+        $verifier->verify(
+            FilenameWithChecksum::fromFilename($file),
+            $owner,
+            basename($file), // @todo this might not match the record!
+            [], // @todo what should we verify here?
+        );
+
+        $output->writeln('✅ Verified');
+
+        return 0;
+    }
+}