Use this file to discover all available pages before exploring further.
The SuprSend CLI is signed and notarised starting from release 0.2.19. Before installing, you can cryptographically confirm that the binary you downloaded was built by SuprSend and has not been modified in transit.
SuprSend signs the CLI using Cosign. At every release, checksums.txt - a SHA-256 hash manifest of every release archive - is signed and the resulting bundle is published alongside checksums.txt.sig and public_key.pem as GitHub release assets.Running cosign verify-blob confirms the signature is valid and that checksums.txt has not been modified since signing.
This command is identical on macOS, Linux, and Windows (PowerShell).What each argument does:
Argument
Description
--key public_key.pem
SuprSend’s PEM-encoded public key. Cosign uses this to validate the signature.
--bundle checksums.txt.sig
The Cosign bundle containing the signature and its metadata.
checksums.txt
The artifact being verified - the SHA-256 manifest of all release archives.
Expected output:
Verified OK
Verified OK confirms:
The signature was produced using SuprSend’s private key - the key that corresponds to public_key.pem. Only SuprSend’s release pipeline has access to it.
checksums.txt is byte-for-byte identical to what was signed at release time.
If you see invalid signature when validating ASN1 encoded signature, do not proceed with installation. Re-download all three files from the same release and retry. If the failure persists, contact SuprSend support.
This step confirms your downloaded CLI archive matches the hash in checksums.txt - ruling out any corruption or substitution of the binary.
Your platform archive must be downloaded and present in the same directory as checksums.txt before running this command. If you haven’t downloaded it yet, see the Installation page. If the archive is not in the directory, the command will return no output rather than an error - which can look like a pass but means nothing was actually verified.
macOS
Linux
Windows
shasum -a 256 --check checksums.txt --ignore-missing
Expected output (filename matches the archive you downloaded):
darwin.arm64.suprsend.tar.gz: OK
sha256sum --check checksums.txt --ignore-missing
Expected output (filename matches the archive you downloaded):
linux.x64.suprsend.tar.gz: OK
# Auto-detects whichever Windows archive is present in the current directory$archives = @( "suprsend_Windows_x86_64.zip", "suprsend_Windows_arm64.zip", "win32.x64.suprsend.zip", "win32.arm64.suprsend.zip")$archive = $archives | Where-Object { Test-Path ".\$_" } | Select-Object -First 1if (-not $archive) { Write-Error "No Windows archive found in the current directory. Download it first." exit 1}$line = Get-Content checksums.txt | Where-Object { $_ -match [regex]::Escape($archive) }$expected = ($line -split '\s+')[0].ToLower()$actual = (Get-FileHash ".\$archive" -Algorithm SHA256).Hash.ToLower()if ($expected -eq $actual) { Write-Host "Checksum OK - $archive"} else { Write-Error "CHECKSUM MISMATCH - do not use this archive"}
Expected output:
Checksum OK - suprsend_Windows_x86_64.zip
The filename in the output will match whichever archive you downloaded.
SuprSend’s signing private key is held exclusively by the automated release pipeline and never leaves the secure signing environment. public_key.pem is the public counterpart - it is published openly with every release and carries no risk of compromise.
