Skip to content

Docs · Releases

Release verification.

Resolved

The release workflow requires SHA-256 checksums alongside every binary archive. v0.1.8 with SHA-256 checksums, SBOM, and cosign signing.

Release artifact status

v0.1.8 with SHA-256 checksums, SBOM, and cosign signing. Download URLs are live on the v0.1.8 GitHub Release page.

Release artifacts available: The v0.1.8 release is publicly available on GitHub with binary archives for 4 platforms, SHA-256 checksums for each, CycloneDX SBOM (engine + MCP), cosign keyless signing (Sigstore Fulcio), SLSA build-provenance attestation, SBOM attestation, and cargo-auditable dependency embedding. The verification process documented below is actionable for the v0.1.8 release.

Install from source: You can also build from source. See the CLI install page for instructions using cargo install --git.

OS code signing status: Windows Authenticode and macOS Developer ID / Gatekeeper notarization are not yet implemented. Binaries may trigger OS security prompts on first launch. Code signing for both platforms is a separate planned enhancement. Supply chain attestation (SBOM, cosign signing, SLSA provenance) shipped with v0.1.8 — see the trust page supply chain section.

SHA-256 verification process

When release artifacts are available, each download will be accompanied by a .sha256 checksum file. Verify the checksum before running any binary.

Linux and macOS:

# Verify the downloaded archive against its companion .sha256 file
sha256sum -c ledgerful-<platform>.tar.gz.sha256

# A passing verification prints:
# ledgerful-<platform>.tar.gz: OK

Windows (PowerShell):

# Compute the SHA-256 hash of the downloaded Windows archive
(Get-FileHash ledgerful-x86_64-pc-windows-msvc.zip -Algorithm SHA256).Hash

# Compare the output to ledgerful-x86_64-pc-windows-msvc.zip.sha256.
# They must match exactly (case-insensitive).
Failure means do not use: Any FAILED output from sha256sum, or a hash mismatch on Windows, means the download is corrupt or has been tampered with. Delete the file and re-download from the official release page.

Health report

If you encounter an issue with Ledgerful, run ledgerful doctor to print a local environment and dependency health report. It does not create a bundle or archive.

# Print the environment and dependency health report
ledgerful doctor

What doctor checks: Daemon reachability, ledger integrity, key pair presence, and project configuration validity. Output is safe to share — it does not include source code, diff content, commit messages, or private key material.

Reporting issues: General (non-security) bugs can be reported via GitHub Issues on the public repository. For security vulnerabilities, see the trust and security page for the responsible disclosure channel.