ParaloomPARALOOM

Releases & Supply Chain

Multi-platform signed release binaries with SHA-256 checksums, CycloneDX SBOM, and Sigstore signatures.

Releases & supply chain

Paraloom releases are built and published from CI with a verifiable supply chain. Every published artifact comes with:

  • A SHA-256 checksum (SHA256SUMS file)
  • A CycloneDX SBOM (Software Bill of Materials)
  • A Sigstore signature over the checksums file (keyless, OIDC-bound to the GitHub Actions workflow)

This closes issue #70. Implementation lives in .github/workflows/release.yml in paraloom-core.

Platforms

TargetTripleNotes
Linux x86_64x86_64-unknown-linux-gnuglibc, most common
Linux aarch64aarch64-unknown-linux-gnuARM64 servers, Raspberry Pi 5
macOS Apple Siliconaarch64-apple-darwinM-series Macs
Windows x86_64x86_64-pc-windows-msvcMSVC toolchain

Intel macOS (x86_64-apple-darwin) was dropped from the matrix at v0.5.0-rc2 because of GitHub-hosted runner deprecation; build-from-source still works.

Verifying a release

# 1. Download the binary, checksums file, signature, and certificate
$ curl -LO https://github.com/paraloom-labs/paraloom-core/releases/download/v0.5.0-rc2/paraloom-linux-amd64
$ curl -LO https://github.com/paraloom-labs/paraloom-core/releases/download/v0.5.0-rc2/SHA256SUMS
$ curl -LO https://github.com/paraloom-labs/paraloom-core/releases/download/v0.5.0-rc2/SHA256SUMS.sig
$ curl -LO https://github.com/paraloom-labs/paraloom-core/releases/download/v0.5.0-rc2/SHA256SUMS.crt

# 2. Verify the Sigstore signature on the checksums file
$ cosign verify-blob \
    --certificate SHA256SUMS.crt \
    --signature SHA256SUMS.sig \
    --certificate-identity-regexp 'https://github.com/paraloom-labs/paraloom-core/.*' \
    --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
    SHA256SUMS

# 3. Verify the binary matches the (now-trusted) checksums file
$ sha256sum -c SHA256SUMS --ignore-missing
paraloom-linux-amd64: OK

If any step fails, do not run the binary. Open an issue at paraloom-core/issues.

SBOM

A CycloneDX SBOM is published with each release as paraloom-<version>-cyclonedx.json. It enumerates every direct and transitive Cargo dependency, with version, license, and source hash. Useful for compliance scans and dependency-vulnerability tracking.

$ curl -LO https://github.com/paraloom-labs/paraloom-core/releases/download/v0.5.0-rc2/paraloom-0.5.0-rc2-cyclonedx.json
$ jq '.components | length' paraloom-0.5.0-rc2-cyclonedx.json
347

Container image

Releases are also published to GHCR as a container image:

$ docker pull ghcr.io/paraloom-labs/paraloom:v0.5.0-rc2

# verify image signature
$ cosign verify ghcr.io/paraloom-labs/paraloom:v0.5.0-rc2 \
    --certificate-identity-regexp 'https://github.com/paraloom-labs/paraloom-core/.*' \
    --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

Why keyless Sigstore

We don't sign with a long-lived private key — that key would be a single point of compromise. Sigstore keyless flow binds the signature to:

  • The specific GitHub Actions workflow that built the artifact (release.yml)
  • The specific commit SHA (recorded in the certificate)
  • A short-lived OIDC token (issued by GitHub, expires within minutes)

This means a leaked CI secret or developer machine can't be used to forge a signed release. Verification checks the OIDC issuer and identity regex above.

Release cadence

VersionStatusHighlights
v0.5.0-rc2current pre-releaserelease pipeline, MPC ceremony tooling, peer discovery, coordinator HA
v0.5.0gated on MPC ceremony completion + auditmainnet readiness
v0.4.0shipped May 2026range proofs, replay protection, slashing, fsync
v0.3.0shipped May 2026private compute alpha (Pedersen + ownership proof)

Monitoring

Health, readiness, and Prometheus metrics endpoints exposed by paraloom validators.

Developer Guide

How to integrate with paraloom today, while paraloom-sdk is still being built.

On this page

Releases & supply chainPlatformsVerifying a releaseSBOMContainer imageWhy keyless SigstoreRelease cadence