Skip to main content
The SuprSend CLI is signed and notarised starting from release 0.2.19. Before installing, you can cryptographically confirm that the binary you downloaded was built by SuprSend and has not been modified in transit.

How it works

SuprSend signs the CLI using Cosign. At every release, checksums.txt - a SHA-256 hash manifest of every release archive - is signed and the resulting bundle is published alongside checksums.txt.sig and public_key.pem as GitHub release assets. Running cosign verify-blob confirms the signature is valid and that checksums.txt has not been modified since signing.

Prerequisites

You need Cosign installed. It is a single binary with no runtime dependencies.
Confirm it is working:

Step 1 - Download the verification files

Always download public_key.pem directly from the official SuprSend CLI releases page. Do not copy it from mirrors or third-party sources.

Step 2 - Verify the signature

With all three files in the same directory, run:
This command is identical on macOS, Linux, and Windows (PowerShell). What each argument does: Expected output:
Verified OK confirms:
  • The signature was produced using SuprSend’s private key - the key that corresponds to public_key.pem. Only SuprSend’s release pipeline has access to it.
  • checksums.txt is byte-for-byte identical to what was signed at release time.
If you see invalid signature when validating ASN1 encoded signature, do not proceed with installation. Re-download all three files from the same release and retry. If the failure persists, contact SuprSend support.

Step 3 - Verify the archive checksum

This step confirms your downloaded CLI archive matches the hash in checksums.txt - ruling out any corruption or substitution of the binary.
Your platform archive must be downloaded and present in the same directory as checksums.txt before running this command. If you haven’t downloaded it yet, see the Installation page. If the archive is not in the directory, the command will return no output rather than an error - which can look like a pass but means nothing was actually verified.
Expected output (filename matches the archive you downloaded):

Full script

Downloads the verification files and your platform archive, verifies both, then installs.

Reference

All archives are available on the GitHub releases page.
SuprSend’s signing private key is held exclusively by the automated release pipeline and never leaves the secure signing environment. public_key.pem is the public counterpart - it is published openly with every release and carries no risk of compromise.

If you encounter an unexpected verification failure, reach out at support@suprsend.com or open an issue on the SuprSend CLI GitHub repository.