Docs · Releases
Release verification.
ResolvedThe release workflow requires SHA-256 checksums alongside every binary archive. v0.1.8 with SHA-256 checksums, SBOM, and cosign signing.
Release artifact status
v0.1.8 with SHA-256 checksums, SBOM, and cosign signing. Download URLs are live on the v0.1.8 GitHub Release page.
Release artifacts available: The v0.1.8 release is publicly available on GitHub with binary archives for 4 platforms, SHA-256 checksums for each, CycloneDX SBOM (engine + MCP), cosign keyless signing (Sigstore Fulcio), SLSA build-provenance attestation, SBOM attestation, and cargo-auditable dependency embedding. The verification process documented below is actionable for the v0.1.8 release.
Install from source: You can also build from source. See the CLI install page for instructions using cargo install --git.
OS code signing status: Windows Authenticode and macOS Developer ID / Gatekeeper notarization are not yet implemented. Binaries may trigger OS security prompts on first launch. Code signing for both platforms is a separate planned enhancement. Supply chain attestation (SBOM, cosign signing, SLSA provenance) shipped with v0.1.8 — see the trust page supply chain section.
SHA-256 verification process
When release artifacts are available, each download will be accompanied by a .sha256 checksum file. Verify the checksum before running any binary.
Linux and macOS:
# Verify the downloaded archive against its companion .sha256 file
sha256sum -c ledgerful-<platform>.tar.gz.sha256
# A passing verification prints:
# ledgerful-<platform>.tar.gz: OKWindows (PowerShell):
# Compute the SHA-256 hash of the downloaded Windows archive
(Get-FileHash ledgerful-x86_64-pc-windows-msvc.zip -Algorithm SHA256).Hash
# Compare the output to ledgerful-x86_64-pc-windows-msvc.zip.sha256.
# They must match exactly (case-insensitive).FAILED output from sha256sum, or a hash mismatch on Windows, means the download is corrupt or has been tampered with. Delete the file and re-download from the official release page.Health report
If you encounter an issue with Ledgerful, run ledgerful doctor to print a local environment and dependency health report. It does not create a bundle or archive.
# Print the environment and dependency health report
ledgerful doctorWhat doctor checks: Daemon reachability, ledger integrity, key pair presence, and project configuration validity. Output is safe to share — it does not include source code, diff content, commit messages, or private key material.
Reporting issues: General (non-security) bugs can be reported via GitHub Issues on the public repository. For security vulnerabilities, see the trust and security page for the responsible disclosure channel.