Skip to main content
Ghostable release pipelines now publish integrity artifacts for each release:
  • SHA256SUMS for published binaries/packages
  • Software bill of materials (SBOM)
  • Signed provenance attestations
Use these artifacts before promoting a release into production.

CLI Verification

For the CLI package, release assets include:
  • <package>.tgz
  • SHA256SUMS
  • cli-sbom.cdx.json

1. Verify SHA256 checksum

shasum -a 256 -c SHA256SUMS

2. Review SBOM

cat cli-sbom.cdx.json | jq '.metadata.component.name, .metadata.component.version'

3. Verify provenance attestation

If you’re using GitHub attestation verification: 
gh attestation verify *.tgz --repo ghostable-dev/cli

Desktop Verification

For desktop release assets, verify:
  • Ghostable-<version>.dmg
  • SHA256SUMS
  • desktop-sbom.spdx.json

1. Verify SHA256 checksum

shasum -a 256 -c SHA256SUMS

2. Verify notarization and signing (macOS)

spctl -a -vv Ghostable-<version>.dmg
codesign -dv --verbose=4 /Applications/Ghostable.app

3. Verify provenance attestation

Desktop provenance attestations are generated in CI for Ghostable’s internal supply-chain controls. Because the desktop source repository is private, external users should rely on:
  • SHA256SUMS validation
  • macOS notarization/signing verification (spctl + codesign)

Operational Guidance

  • Store release artifacts and attestations in your internal artifact registry.
  • Gate production rollout on successful checksum + attestation verification.
  • Keep SBOM snapshots with change tickets for audit evidence.