Verifying Release Checksums¶
RAPS CLI releases include SHA256 checksums to verify download integrity and detect tampering.
Downloading Checksums¶
Checksums are published as checksums.txt alongside release artifacts on GitHub.
Verifying on Windows (PowerShell)¶
# Download the checksum file
Invoke-WebRequest -Uri "https://github.com/dmytro-yemelianov/raps/releases/download/v0.4.0/checksums.txt" -OutFile "checksums.txt"
# Calculate hash of downloaded file
$hash = Get-FileHash -Path "raps-x86_64-pc-windows-msvc.zip" -Algorithm SHA256
# Compare with checksums.txt
Select-String -Path "checksums.txt" -Pattern $hash.Hash
Verifying on macOS/Linux¶
# Download the checksum file
wget https://github.com/dmytro-yemelianov/raps/releases/download/v0.4.0/checksums.txt
# Verify checksums
sha256sum -c checksums.txt
Or using shasum on macOS:
What to Check¶
- File Integrity: The checksum verifies the file wasn't corrupted during download
- Authenticity: Compare the checksum with the one published on GitHub releases
- Tampering Detection: If checksums don't match, the file may have been modified
Verifying Build Provenance (SLSA)¶
RAPS releases include SLSA Build Level 2 provenance attestations, providing cryptographic proof that artifacts were built in GitHub Actions from this repository's source code.
# Verify provenance of a downloaded binary
gh attestation verify <path-to-binary> --repo dmytro-yemelianov/raps
This verifies: - The artifact was built by GitHub Actions (not a local machine) - It was built from the official repository - The build process wasn't tampered with
Security Best Practices¶
- Always verify checksums before installing binaries
- Verify SLSA provenance for additional supply chain assurance
- Download checksums from the official GitHub releases page
- Use HTTPS when downloading files
- Store checksums securely for audit purposes