KuberCoin Docs

Release Artifacts

Signed builds, checksums, SBOMs, and provenance notes for public releases.

Release Artifacts

This page lists the public release evidence that downstream operators and reviewers should inspect before trusting a tagged build. The release process is only considered complete when the artifact, the checksum, and the provenance note all match the same version.

What to check

  • Signed builds. Verify the release signature against the published maintainer key.
  • Checksums. Confirm the SHA-256 digest matches the release log entry.
  • SBOM. Inspect the CycloneDX inventory for the tagged build.
  • Manifest. Check release-manifest.json and release-manifest.json.sha256 for the published inventory and digests.
  • Provenance. Read the build metadata and release note together before promoting the binary.

Promotion guidance

Promoting a release without checking the artifacts defeats the point of publishing them. Operators should treat a mismatch in signature, checksum, or provenance as a stop sign until the release manager issues a corrected build or a documented exception.

References