SHA256SUMSfor published binaries/packages- Software bill of materials (SBOM)
- Signed provenance attestations
CLI Verification
For CLI releases, release assets include:- the published package tarball (
*.tgz) SHA256SUMScli-sbom.cdx.json
1. Verify SHA256 checksum
2. Review SBOM
3. Verify provenance attestation
If you’re using GitHub attestation verification:Desktop Verification
For desktop releases, verify:- the downloaded DMG (
Ghostable-*.dmg) SHA256SUMSdesktop-sbom.spdx.json
1. Verify SHA256 checksum
2. Verify notarization and signing (macOS)
3. Verify provenance attestation
Desktop provenance attestations are generated in CI for Ghostable’s internal supply-chain controls. Because the desktop source repository is private, external users typically rely on:SHA256SUMSvalidation- macOS notarization/signing verification (
spctl+codesign)
Server Verification
For the Ghostable server/API service, release assets include:- the release archive (
ghostable-*.tar.gz) SHA256SUMSghostable-sbom.spdx.json
1. Verify SHA256 checksum
2. Review SBOM
3. Verify provenance attestation
Operational Guidance
- Store release artifacts and attestations in your internal artifact registry.
- Gate production rollout on successful checksum + attestation verification.
- Keep SBOM snapshots with change tickets for audit evidence.
Notes for private desktop/server channels
- When a release channel is private (for example desktop), publish a short checksum and SBOM digest summary in customer-facing docs so you can still verify integrity through a trusted internal channel.