voxeltron ボクセルトロン
Install

Binary Verification

Verify the authenticity and integrity of Voxeltron releases before installing them.

Checksum Verification

Every GitHub Release includes a checksums.txt file containing SHA256 hashes for all release artifacts. To verify a downloaded binary: 

# Download the checksums file for your release
curl -LO https://github.com/jaikoo/voxeltron/releases/download/v0.1.0/checksums.txt

# Verify all downloaded artifacts against the checksums
sha256sum --check checksums.txt
On macOS, use shasum -a 256 instead of sha256sum: 
shasum -a 256 --check checksums.txt

To verify a single file manually:

# Compute the hash of the downloaded binary
sha256sum voxeltrond-linux-amd64.tar.gz

# Compare the output against the corresponding line in checksums.txt
If the hashes do not match, do not use the binary. Re-download from the official GitHub Releases page and verify again.

Cosign Verification GitHub fallback releases

Manual releases from build-mac are currently the primary release path. Cosign keyless provenance applies only when a release is produced via the GitHub fallback workflow and includes .sig/.pem files.

If those files are present, verify checksums.txt provenance with:

cosign verify-blob \
	  --signature checksums.txt.sig \
	  --certificate checksums.txt.pem \
	  --certificate-identity-regexp "https://github.com/jaikoo/voxeltron/.github/workflows/release.yml@refs/tags/v.*" \
	  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
	  checksums.txt

Then validate artifact hashes:

sha256sum --check checksums.txt

GPG Verification (APT/DNF repository metadata)

Releases now include:

  • voxeltron-signing-key.asc (public key)
  • voxeltron-apt-Release + voxeltron-apt-Release.gpg
  • voxeltron-rpm-repomd.xml + voxeltron-rpm-repomd.xml.asc

Verify repository metadata before trusting local or mirrored package repositories:

gpg --import voxeltron-signing-key.asc
gpg --verify voxeltron-apt-Release.gpg voxeltron-apt-Release
gpg --verify voxeltron-rpm-repomd.xml.asc voxeltron-rpm-repomd.xml
If verification fails, do not use that repository snapshot. Re-download release metadata from the official release page.

SBOM Available

Each release includes SPDX JSON SBOM files (*.spdx.json) generated from published artifacts.

Use them to audit dependencies and feed vulnerability scanners:

# Example: inspect package count in an SBOM
jq '.packages | length' voxeltrond-x86_64-unknown-linux-gnu.tar.gz.spdx.json

Install Script Verification

If you use the one-line install script, always inspect it before piping to a shell: 

# Download and review the script first
curl -sSL https://get.voxeltron.dev | less

# Only run it after you've reviewed the contents
curl -sSL https://get.voxeltron.dev | bash
Never blindly pipe a remote script to bash. Always review the contents first.

The install script is open source and hosted in the Voxeltron repository. You can also review it directly on GitHub before running it.