Checksums, detached signatures, and manual verification docs are already shipped on main.
What is already done:
- GitHub Releases publish
checksums.txt
- Releases publish
checksums.txt.sig signed with the same KMS trust chain used by proov update
- manual verification is documented in
docs/release-verification.md and linked from the README
Remaining scope for this issue:
- evaluate Apple code signing for direct-download macOS binaries
- evaluate notarization for macOS release artifacts
- document the final operator workflow, prerequisites, and release-time steps if adopted
Why this remains open:
- the current remaining gap is platform trust UX for macOS direct downloads, not checksum/signature publication
Checksums, detached signatures, and manual verification docs are already shipped on main.
What is already done:
checksums.txtchecksums.txt.sigsigned with the same KMS trust chain used byproov updatedocs/release-verification.mdand linked from the READMERemaining scope for this issue:
Why this remains open: