ParaloomPARALOOM

Releases & Supply Chain

Multi-platform signed release binaries with SHA-256 checksums, CycloneDX SBOM, and Sigstore signatures.

Releases & supply chain

Paraloom releases are built and published from CI with a verifiable supply chain. Every published artifact comes with:

  • A SHA-256 checksum (SHA256SUMS file)
  • A CycloneDX SBOM (Software Bill of Materials)
  • A Sigstore signature over the checksums file (keyless, OIDC-bound to the GitHub Actions workflow)

This closes issue #70. Implementation lives in .github/workflows/release.yml in paraloom-core.

Platforms

TargetTripleSigned binary
Linux x86_64x86_64-unknown-linux-gnu✓ published (glibc, most common)
macOS Apple Siliconaarch64-apple-darwin✓ published (M-series)
Windows x86_64x86_64-pc-windows-msvcnot yet — run via WSL2, or build from source
Linux aarch64aarch64-unknown-linux-gnunot yet — build from source (Raspberry Pi 5, ARM servers)
Intel macOSx86_64-apple-darwinnot yet — build from source

Each release publishes both the unified paraloom CLI and the node-only paraloom-node for the two ✓ targets. Windows / ARM Linux / Intel macOS aren't built as signed binaries yet (Solana SDK on Windows MSVC + RocksDB cross-build are post-v0.5.0 follow-ups) — build from source per Quick start, and Windows runs fine under WSL2.

Verifying a release

# 1. Download the binary, checksums file, signature, and certificate
$ curl -LO https://github.com/paraloom-labs/paraloom-core/releases/latest/download/paraloom-node-linux-amd64
$ curl -LO https://github.com/paraloom-labs/paraloom-core/releases/latest/download/SHA256SUMS
$ curl -LO https://github.com/paraloom-labs/paraloom-core/releases/latest/download/SHA256SUMS.sig
$ curl -LO https://github.com/paraloom-labs/paraloom-core/releases/latest/download/SHA256SUMS.pem

# 2. Verify the Sigstore signature on the checksums file
$ cosign verify-blob \
    --certificate SHA256SUMS.pem \
    --signature SHA256SUMS.sig \
    --certificate-identity-regexp 'https://github.com/paraloom-labs/paraloom-core/.*' \
    --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
    SHA256SUMS

# 3. Verify the binary matches the (now-trusted) checksums file
$ sha256sum -c SHA256SUMS --ignore-missing
paraloom-node-linux-amd64: OK

If any step fails, do not run the binary. Open an issue at paraloom-core/issues.

SBOM

A CycloneDX SBOM is published with each release as paraloom-core-sbom.cdx.json, with its own Sigstore signature (.sig + .pem). It enumerates every direct and transitive Cargo dependency, with version, license, and source hash. Useful for compliance scans and dependency-vulnerability tracking.

$ curl -LO https://github.com/paraloom-labs/paraloom-core/releases/latest/download/paraloom-core-sbom.cdx.json
$ jq '.components | length' paraloom-core-sbom.cdx.json
347

Container image

Releases are also published to GHCR as a container image:

$ docker pull ghcr.io/paraloom-labs/paraloom:v0.5.0-rc5

# verify image signature
$ cosign verify ghcr.io/paraloom-labs/paraloom:v0.5.0-rc5 \
    --certificate-identity-regexp 'https://github.com/paraloom-labs/paraloom-core/.*' \
    --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

Why keyless Sigstore

We don't sign with a long-lived private key — that key would be a single point of compromise. Sigstore keyless flow binds the signature to:

  • The specific GitHub Actions workflow that built the artifact (release.yml)
  • The specific commit SHA (recorded in the certificate)
  • A short-lived OIDC token (issued by GitHub, expires within minutes)

This means a leaked CI secret or developer machine can't be used to forge a signed release. Verification checks the OIDC issuer and identity regex above.

Release cadence

VersionStatusHighlights
v0.5.0-rc5current pre-releasefirst-class paraloom validator CLI (register/start/status/list/unregister), on-chain program-id fix (declare_id aligned to the deployed devnet address), Initialize upgrade-authority gate, persistent libp2p identity, unified paraloom binary published alongside paraloom-node
v0.5.0-rc4shipped May 2026shielded transfers (2-in/2-out, BFT-verified), encrypted note delivery + recipient scan, transfer ingress + consensus, withdrawal hardening (witness-path Merkle membership, canonical verifying key, authority binding, libp2p multi-node consensus with 5-node byzantine quorum), reproducible withdrawal demo
v0.5.0-rc3shipped May 2026bridge/full-tx synth + canonical proof pipeline
v0.5.0-rc2shipped May 2026release pipeline, MPC ceremony tooling, peer discovery, coordinator HA
v0.5.0gated on MPC ceremony completion + auditmainnet readiness
v0.4.0shipped May 2026range proofs, replay protection, slashing, fsync
v0.3.0shipped May 2026private compute alpha (Pedersen + ownership proof)

Monitoring

Health, readiness, and Prometheus metrics endpoints, plus log-based monitoring for paraloom validators.

Developer Guide

How to integrate with paraloom today, while paraloom-sdk is still being built.

On this page

Releases & supply chainPlatformsVerifying a releaseSBOMContainer imageWhy keyless SigstoreRelease cadence