SHA256SUMSfor published binaries/packages- Software bill of materials (SBOM)
- Signed provenance attestations
CLI Verification
For CLI releases, release assets include:<package>.tgzSHA256SUMScli-sbom.cdx.json
1. Verify SHA256 checksum
2. Review SBOM
3. Verify provenance attestation
If you’re using GitHub attestation verification:Desktop Verification
For desktop releases, verify:Ghostable-<version>.dmgSHA256SUMSdesktop-sbom.spdx.json
1. Verify SHA256 checksum
2. Verify notarization and signing (macOS)
3. Verify provenance attestation
Desktop provenance attestations are generated in CI for Ghostable’s internal supply-chain controls. Because the desktop source repository is private, external users typically rely on:SHA256SUMSvalidation- macOS notarization/signing verification (
spctl+codesign)
Server Verification
For the Ghostable server/API service, release assets include:ghostable-<tag>.tar.gzSHA256SUMSghostable-sbom.spdx.json
1. Verify SHA256 checksum
2. Review SBOM
3. Verify provenance attestation
Operational Guidance
- Store release artifacts and attestations in your internal artifact registry.
- Gate production rollout on successful checksum + attestation verification.
- Keep SBOM snapshots with change tickets for audit evidence.
Notes for private desktop/server channels
- When a release channel is private (for example desktop), publish a short checksum and SBOM digest summary in customer-facing docs so you can still verify integrity through a trusted internal channel.