> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ghostable.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Supply Chain Verification

> Verify Ghostable release artifacts with checksums, SBOMs, and provenance attestations.

Ghostable release pipelines now publish integrity artifacts for each release channel:

* `SHA256SUMS` for published binaries/packages
* Software bill of materials (SBOM)
* Signed provenance attestations

Use these artifacts before promoting a release into production.

## CLI Verification

For CLI releases, release assets include:

* the published package tarball (`*.tgz`)
* `SHA256SUMS`
* `cli-sbom.cdx.json`

### 1. Verify SHA256 checksum

```bash theme={null}
shasum -a 256 -c SHA256SUMS
```

### 2. Review SBOM

```bash theme={null}
cat cli-sbom.cdx.json | jq '.metadata.component.name, .metadata.component.version'
```

### 3. Verify provenance attestation

If you're using GitHub attestation verification:

```bash theme={null}
gh attestation verify *.tgz --repo ghostable-dev/cli
```

## Desktop Verification

For desktop releases, verify:

* the downloaded DMG (`Ghostable-*.dmg`)
* `SHA256SUMS`
* `desktop-sbom.spdx.json`

### 1. Verify SHA256 checksum

```bash theme={null}
shasum -a 256 -c SHA256SUMS
```

### 2. Verify notarization and signing (macOS)

```bash theme={null}
spctl -a -vv Ghostable-*.dmg
codesign -dv --verbose=4 /Applications/Ghostable.app
```

### 3. Verify provenance attestation

Desktop provenance attestations are generated in CI for Ghostable's internal supply-chain controls.
Because the desktop source repository is private, external users typically rely on:

* `SHA256SUMS` validation
* macOS notarization/signing verification (`spctl` + `codesign`)

## Server Verification

For the Ghostable server/API service, release assets include:

* the release archive (`ghostable-*.tar.gz`)
* `SHA256SUMS`
* `ghostable-sbom.spdx.json`

### 1. Verify SHA256 checksum

```bash theme={null}
shasum -a 256 -c SHA256SUMS
```

### 2. Review SBOM

```bash theme={null}
cat ghostable-sbom.spdx.json | jq '.name, .version'
```

### 3. Verify provenance attestation

```bash theme={null}
gh attestation verify ghostable-*.tar.gz --repo ghostable-dev/ghostable
```

## Operational Guidance

* Store release artifacts and attestations in your internal artifact registry.
* Gate production rollout on successful checksum + attestation verification.
* Keep SBOM snapshots with change tickets for audit evidence.

## Notes for private desktop/server channels

* When a release channel is private (for example desktop), publish a short checksum and SBOM digest
  summary in customer-facing docs so you can still verify integrity through a trusted internal
  channel.

## Continue

<CardGroup>
  <Card title="CLI install guide" icon="terminal" href="/cli/v2/getting-started/installation">
    Start from installation if you need the command-line setup path before verification.
  </Card>

  <Card title="Security controls matrix" icon="shield" href="/fundamentals/v2/security-and-operations/security-controls-matrix">
    Map supply-chain verification controls to broader operational evidence requirements.
  </Card>
</CardGroup>