# Verifying Releases (https://jackin.tailrocks.com/getting-started/verifying-releases/)



Every jackin' release publishes signed artifacts alongside the binaries. This page explains what is available and how to use it.

## What you need to do [#what-you-need-to-do]

Nothing. When jackin' downloads `jackin-capsule` for the first time (or after clearing the cache), it automatically verifies a signed manifest before accepting and caching the binary. Subsequent launches reuse the already-verified cached binary. The verification is silent and transparent — you only notice it if something is wrong (in which case the launch aborts with an error message).

The verification tools described below are for operators who want to audit a download themselves, integrate jackin' into a supply chain policy, or confirm the integrity of any release asset manually.

## What is published per release [#what-is-published-per-release]

Each release includes the following assets for every binary archive:

| Asset                     | Purpose                                     |
| ------------------------- | ------------------------------------------- |
| `<name>.tar.gz`           | The binary archive                          |
| `<name>.tar.gz.sha256`    | SHA256 digest of the archive                |
| `<name>.tar.gz.bundle`    | Cosign keyless signature bundle             |
| `<name>.tar.gz.sbom.json` | CycloneDX SBOM (software bill of materials) |

The capsule binary additionally has a signed manifest:

| Asset                          | Purpose                                          |
| ------------------------------ | ------------------------------------------------ |
| `capsule-manifest.json`        | Version + per-architecture SHA256 digests        |
| `capsule-manifest.json.bundle` | Cosign keyless signature bundle for the manifest |

## Verify with SLSA provenance (GitHub Attestations) [#verify-with-slsa-provenance-github-attestations]

Requires `gh` CLI (already installed if you used Homebrew to install jackin').

```sh
gh attestation verify <file> --repo jackin-project/jackin
```

This checks that the file was produced by a jackin' GitHub Actions run and is linked to the source commit. No extra tools required.

## Verify with cosign bundle [#verify-with-cosign-bundle]

Requires `cosign` installed locally (`brew install cosign` or `mise install cosign`).

```sh
cosign verify-blob \
  --bundle <file>.bundle \
  --certificate-identity-regexp 'https://github.com/jackin-project/jackin/' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  <file>
```

This verifies the keyless OIDC signature, confirms the certificate was issued to a jackin' GitHub Actions workflow, and checks the Sigstore transparency log entry.

To verify the capsule manifest specifically:

```sh
cosign verify-blob \
  --bundle capsule-manifest.json.bundle \
  --certificate-identity-regexp 'https://github.com/jackin-project/jackin/' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  capsule-manifest.json
```

## Inspect the SBOM [#inspect-the-sbom]

The `.sbom.json` files are CycloneDX JSON documents listing the binary's file-level and ELF-level dependencies.

```sh
# Inspect raw content
jq . <file>.sbom.json

# Validate with cyclonedx-cli (.NET tool, install separately)
cyclonedx validate --input-file <file>.sbom.json
```

## Download release assets [#download-release-assets]

All assets are available at `https://github.com/jackin-project/jackin/releases`. Preview builds are published to the `preview` rolling tag; stable releases use versioned `v<version>` tags.