ProxSave
Star on GitHub, it's really important Star on GitHub

Binary Security

ProxSave publishes release artifacts on GitHub Releases and provides multiple ways to verify what you downloaded. Use SHA256 verification as the baseline, and optionally verify GitHub build provenance attestations for stronger supply-chain assurance.

What is shipped in GitHub Releases

Typical release assets include:

  • proxsave_<version>_linux_<arch>.tar.gz (archive)
  • proxsave_<version>_linux_<arch> (raw binary)
  • SHA256SUMS (SHA256 checksums for release assets)
  • *.sbom.cdx.json (CycloneDX SBOM for the archive, when published)
  • GitHub build provenance attestations (generated by the official release workflow for build/proxsave_* artifacts)

The install.sh installer and the proxsave --upgrade flow both verify SHA256 checksums using SHA256SUMS before installing.

Verify with SHA256 checksums (recommended minimum)

Download a specific version and verify the checksum against SHA256SUMS (replace VERSION and ARCH):

VERSION="x.y.z"
ARCH="amd64" # or arm64

ARCHIVE="proxsave_${VERSION}_linux_${ARCH}.tar.gz"
BINARY="proxsave_${VERSION}_linux_${ARCH}"

curl -fsSLO "https://github.com/tis24dev/proxsave/releases/download/v${VERSION}/${ARCHIVE}"
curl -fsSLO "https://github.com/tis24dev/proxsave/releases/download/v${VERSION}/${BINARY}"
curl -fsSLO "https://github.com/tis24dev/proxsave/releases/download/v${VERSION}/SHA256SUMS"

# Verify archive
grep " ${ARCHIVE}$" SHA256SUMS | sha256sum -c -

# Verify raw binary
grep " ${BINARY}$" SHA256SUMS | sha256sum -c -

If you only downloaded one artifact, verify only that artifact.

Verify GitHub build provenance attestation (optional)

GitHub Releases can include build provenance attestations for release artifacts. You can verify them with the GitHub CLI:

gh attestation verify "${ARCHIVE}" --repo tis24dev/proxsave

What this check is intended to confirm:

  • The artifact was produced by the official tis24dev/proxsave repository
  • The artifact was built by the official GitHub Actions release workflow
  • The attestation includes metadata such as the commit SHA and build context

This verification is “keyless” (no GPG key import/management): GitHub uses OIDC-based identity and Sigstore-backed signing for attestations.

If verification fails

Do not install or run the artifact. Common causes include:

  • Partial or corrupted download (re-download and retry)
  • Wrong version/architecture filename
  • Local filesystem corruption
  • Attestation or GitHub service issues

Reporting security concerns

If you suspect a security issue, report it through the repository’s security reporting channel (or open a GitHub issue).