0.2.19. Before installing, you can cryptographically confirm that the binary you downloaded was built by SuprSend and has not been modified in transit.
How it works
SuprSend signs the CLI using Cosign. At every release,checksums.txt - a SHA-256 hash manifest of every release archive - is signed and the resulting bundle is published alongside checksums.txt.sig and public_key.pem as GitHub release assets.
Running cosign verify-blob confirms the signature is valid and that checksums.txt has not been modified since signing.
Prerequisites
You need Cosign installed. It is a single binary with no runtime dependencies.- macOS
- Linux (amd64)
- Windows
Step 1 - Download the verification files
- macOS / Linux
- Windows
Always download
public_key.pem directly from the official SuprSend CLI releases page. Do not copy it from mirrors or third-party sources.Step 2 - Verify the signature
With all three files in the same directory, run:
Expected output:
Verified OK confirms:
- The signature was produced using SuprSend’s private key - the key that corresponds to
public_key.pem. Only SuprSend’s release pipeline has access to it. checksums.txtis byte-for-byte identical to what was signed at release time.
Step 3 - Verify the archive checksum
This step confirms your downloaded CLI archive matches the hash inchecksums.txt - ruling out any corruption or substitution of the binary.
Your platform archive must be downloaded and present in the same directory as
checksums.txt before running this command. If you haven’t downloaded it yet, see the Installation page. If the archive is not in the directory, the command will return no output rather than an error - which can look like a pass but means nothing was actually verified.- macOS
- Linux
- Windows
Full script
Downloads the verification files and your platform archive, verifies both, then installs.- macOS (Apple Silicon)
- macOS (Intel)
- Linux (x86_64)
- Linux (ARM64)
- Windows (x86_64)
- Windows (ARM64)
Reference
Available platform archives
Available platform archives
All archives are available on the GitHub releases page.
Security model
Security model
SuprSend’s signing private key is held exclusively by the automated release pipeline and never leaves the secure signing environment.
public_key.pem is the public counterpart - it is published openly with every release and carries no risk of compromise.