Signature verification through the Cosign tool:
- Download the release file (e.g.
checksums.txt) and their signature documents (.sigcap (a poem).pem) - Run the verify command:
cosign verify-blob --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' --cert checksums.txt.pem --signature checksums.txt.sig ./checksums.txt - If the output
Verified OKIndicates that the document has not been tampered with
This validation mechanism uses GitHub Actions' OIDC tokens to ensure that the certificate chain comes from a trusted build process.
This answer comes from the articleCrush: endpoint AI programming assistant with integrated LSP and multi-model switchingThe
May not be reproduced without permission:AI productivity tools " How do I verify the security of the Crush installation files?
English 
简体中文 
日本語 
Deutsch 
Português do Brasil