Every released binary is accompanied by a SHA256 sidecar (verified automatically on every install) and a SLSA build provenance attestation signed via Sigstore and recorded in the public transparency log. The SHA256 check is mandatory and always runs. Provenance verification is optional — it’s only needed if you want a cryptographic link from the binary back to the exact commit and workflow run that built it.

Manual verification

Recommended for one-off audits. Requires the GitHub CLI installed and authenticated (gh auth login). Replace vX.Y.Z with the tag of the version you installed — pinning the source ref and signer workflow gives you the “exact commit and workflow run” guarantee; --repo alone only proves the artifact was built by some workflow in our repository.

macOS / Linux:

gh attestation verify ~/.local/bin/plannotator \
  --repo backnotprop/plannotator \
  --source-ref refs/tags/vX.Y.Z \
  --signer-workflow backnotprop/plannotator/.github/workflows/release.yml

Windows (PowerShell installer):

gh attestation verify "$env:LOCALAPPDATA\plannotator\plannotator.exe" `
  --repo backnotprop/plannotator `
  --source-ref refs/tags/vX.Y.Z `
  --signer-workflow backnotprop/plannotator/.github/workflows/release.yml

Windows (CMD installer):

gh attestation verify "%USERPROFILE%\.local\bin\plannotator.exe" ^
  --repo backnotprop/plannotator ^
  --source-ref refs/tags/vX.Y.Z ^
  --signer-workflow backnotprop/plannotator/.github/workflows/release.yml

For air-gapped or no-auth environments, see GitHub’s docs on verifying attestations offline.

Automatic verification during install

Provenance verification is off by default — the same default every major curl | bash installer uses (rustup, brew, bun, deno, helm). To have the installer additionally run gh attestation verify on every upgrade, enable it via any of the three mechanisms below. Precedence is CLI flag > env var > config file > default.

1. Per-install flag (one-shot):

curl -fsSL https://plannotator.ai/install.sh | bash -s -- --verify-attestation

PowerShell: ... -VerifyAttestation. Windows CMD: install.cmd --verify-attestation.

2. Environment variable (persist in your shell RC):

export PLANNOTATOR_VERIFY_ATTESTATION=1

3. Config file (persist shell-agnostic):

mkdir -p ~/.plannotator
echo '{ "verifyAttestation": true }' > ~/.plannotator/config.json

When enabled, the installer requires gh CLI installed and authenticated (gh auth login). If gh is missing or the check fails, the install hard-fails so you don’t silently skip verification. To force-skip for a single install, pass --skip-attestation (bash/cmd) or -SkipAttestation (PowerShell).

Supported versions

Version pinning and provenance verification are fully supported from v0.17.2 onwards — the first release to ship native ARM64 Windows binaries and SLSA attestations. Pinning to a pre-v0.17.2 tag may work for default installs on macOS, Linux, and x64 Windows, but ARM64 Windows hosts will get a 404 and provenance verification will be rejected by the installer’s pre-flight check.

Built by

backnotprop pbowyer dgrissen2 elithompson AlexanderKolberg HeikoAtGitHub dotemacs andreineculau oorestisime Pran-Ker Aeg1sx renovate[bot] gwynnnplaine dmmulroy foxytanuki l10veu602 Exloz yonihorn nulladdict mynameistito LUUUAN mactavishz PanicIsReal leoreisdias ndesjardins-comact luyanfeng ShineBreaker punk-dev-robot eromoe ZoeImport dezren39 aviadshiber maxim gwtaylor dillonoconnor Zengwenj daviziks alexey-igrychev rooterkyberian djamatgit Thraka jedzill4 oronbz myohei RobertoArtiles JayGhiya rcdailey ohmantics blimmer ryan-dsilva waynehsmith charlozard andreivladmatei UberMouse h4rvey-g kurtextrem jhillyerd Yecats timrichardson kanchev1 Raneddo arogulin DRBragg masterpavan MarceloPrado iefnaf Flojomojo bman654 andymac4182 sercantor ovitrif axelboman277 rockneurotiko JohannesKlauss 0xbentang hackerbara xrd romanr TomLucidor thoroc PetrBrabec