Verifying Releases
Every jackin' release publishes signed artifacts alongside the binaries. This page explains what is available and how to use it.
What you need to do
Nothing. When jackin' downloads jackin-capsule for the first time (or after clearing the cache), it automatically verifies a signed manifest before accepting and caching the binary. Subsequent launches reuse the already-verified cached binary. The verification is silent and transparent — you only notice it if something is wrong (in which case the launch aborts with an error message).
The verification tools described below are for operators who want to audit a download themselves, integrate jackin' into a supply chain policy, or confirm the integrity of any release asset manually.
What is published per release
Each release includes the following assets for every binary archive:
| Asset | Purpose |
|---|---|
<name>.tar.gz | The binary archive |
<name>.tar.gz.sha256 | SHA256 digest of the archive |
<name>.tar.gz.bundle | Cosign keyless signature bundle |
<name>.tar.gz.sbom.json | CycloneDX SBOM (software bill of materials) |
The capsule binary additionally has a signed manifest:
| Asset | Purpose |
|---|---|
capsule-manifest.json | Version + per-architecture SHA256 digests |
capsule-manifest.json.bundle | Cosign keyless signature bundle for the manifest |
Verify with SLSA provenance (GitHub Attestations)
Requires gh CLI (already installed if you used Homebrew to install jackin').
gh attestation verify <file> --repo jackin-project/jackinThis checks that the file was produced by a jackin' GitHub Actions run and is linked to the source commit. No extra tools required.
Verify with cosign bundle
Requires cosign installed locally (brew install cosign or mise install cosign).
cosign verify-blob \
--bundle <file>.bundle \
--certificate-identity-regexp 'https://github.com/jackin-project/jackin/' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
<file>This verifies the keyless OIDC signature, confirms the certificate was issued to a jackin' GitHub Actions workflow, and checks the Sigstore transparency log entry.
To verify the capsule manifest specifically:
cosign verify-blob \
--bundle capsule-manifest.json.bundle \
--certificate-identity-regexp 'https://github.com/jackin-project/jackin/' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
capsule-manifest.jsonInspect the SBOM
The .sbom.json files are CycloneDX JSON documents listing the binary's file-level and ELF-level dependencies.
# Inspect raw content
jq . <file>.sbom.json
# Validate with cyclonedx-cli (.NET tool, install separately)
cyclonedx validate --input-file <file>.sbom.jsonDownload release assets
All assets are available at https://github.com/jackin-project/jackin/releases. Preview builds are published to the preview rolling tag; stable releases use versioned v<version> tags.