Release Artifacts
Signed builds, checksums, SBOMs, and provenance notes for public releases.
Release Artifacts
This page lists the public release evidence that downstream operators and reviewers should inspect before trusting a tagged build. The release process is only considered complete when the artifact, the checksum, and the provenance note all match the same version.
What to check
- Signed builds. Verify the release signature against the published maintainer key.
- Checksums. Confirm the SHA-256 digest matches the release log entry.
- SBOM. Inspect the CycloneDX inventory for the tagged build.
- Manifest. Check
release-manifest.jsonandrelease-manifest.json.sha256for the published inventory and digests. - Provenance. Read the build metadata and release note together before promoting the binary.
Promotion guidance
Promoting a release without checking the artifacts defeats the point of publishing them. Operators should treat a mismatch in signature, checksum, or provenance as a stop sign until the release manager issues a corrected build or a documented exception.
References
- Mainnet policy — release gates and rollback rules.
- Service level objectives — availability targets for release windows.
- Release provenance — signed builds, checksums, and attestation expectations.
- Operations — deployment notes and verification endpoints.
- Status — current status dashboard, uptime sources, and incident thresholds.