Release Verification¶
Local Emulation¶
Use the checked-in release scripts before you cut a tag:
make verify-branch-protection
make smoke-release
make release-emulate
make verify-branch-protection catches stale required-check policies before they block or silently weaken the release line.
make smoke-release packages and verifies the host-native CLI and GUI release artifacts. On Linux hosts that includes both the direct archives and the .deb packages. On macOS hosts that includes the direct archives and the GUI .dmg image. The smoke path includes checked-in payload-layout validation before any executable smoke assertions run.
On Linux hosts with the repository builder toolchain, packaged GUI smoke validation also captures a screenshot of the rendered window under Xvfb and fails if the capture is blank or unexpectedly small.
make release-emulate runs the Linux amd64 release path through the repository-owned builder container, including the Debian package outputs.
Verify a Published Release End to End¶
If a tag is already published, use the checked-in verifier instead of replaying the commands manually:
make verify-published-release TAG=paranoid-passwd-v3.5.2
That script verifies:
the exact expected asset set
checksum integrity for every published CLI and GUI artifact, including Linux
.debpackages and macOS GUI.dmgimagesexpected payload layout for every published CLI and GUI artifact, including macOS
.appbundles inside archives and.dmgimages, Linux GUI desktop metadata, and Debian package filesystem rootsGitHub attestation for the host-native downloadable artifacts, including Linux
.debpackages on Linux hosts and the GUI.dmgimage on macOS hoststhe host-native smoke path through
scripts/smoke_test_release_artifact.shfor both binaries and, on Linux hosts, both.debpackages, and on macOS hosts, the GUI.dmgimage
Download a Release¶
TAG=$(gh release view --repo jbcom/paranoid-passwd --json tagName --jq .tagName)
VERSION="${TAG#paranoid-passwd-v}"
gh release download "$TAG" --repo jbcom/paranoid-passwd \
-p "paranoid-passwd-${VERSION}-darwin-arm64.tar.gz" \
-p "paranoid-passwd-gui-${VERSION}-darwin-arm64.tar.gz" \
-p "paranoid-passwd-gui-${VERSION}-darwin-arm64.dmg" \
-p "checksums.txt"
Verify the Checksum¶
grep "paranoid-passwd-${VERSION}-darwin-arm64.tar.gz$" checksums.txt | shasum -a 256 -c
grep "paranoid-passwd-gui-${VERSION}-darwin-arm64.tar.gz$" checksums.txt | shasum -a 256 -c
grep "paranoid-passwd-gui-${VERSION}-darwin-arm64.dmg$" checksums.txt | shasum -a 256 -c
On Linux:
grep "paranoid-passwd-${VERSION}-linux-amd64.tar.gz$" checksums.txt | sha256sum -c
grep "paranoid-passwd_${VERSION}_amd64.deb$" checksums.txt | sha256sum -c
grep "paranoid-passwd-gui-${VERSION}-linux-amd64.tar.gz$" checksums.txt | sha256sum -c
grep "paranoid-passwd-gui_${VERSION}_amd64.deb$" checksums.txt | sha256sum -c
Verify GitHub Attestation¶
gh attestation verify "paranoid-passwd-${VERSION}-darwin-arm64.tar.gz" --owner jbcom
gh attestation verify "paranoid-passwd-gui-${VERSION}-darwin-arm64.tar.gz" --owner jbcom
gh attestation verify "paranoid-passwd-gui-${VERSION}-darwin-arm64.dmg" --owner jbcom
This ties the archives back to the GitHub Actions workflow run that produced them.
On Linux, the same applies to the .deb packages:
gh attestation verify "paranoid-passwd_${VERSION}_amd64.deb" --owner jbcom
gh attestation verify "paranoid-passwd-gui_${VERSION}_amd64.deb" --owner jbcom
Verify the Installer Surface¶
The release workflow also validates docs/public/install.sh against a local HTTP server backed by the built archives. If you already have a complete release dist directory locally, you can rerun that validation with:
bash scripts/release_validate.sh "$VERSION" dist/release