GitHub Releases
Every stable release on the releases page ships:
- Archives —
datamitsu_<version>_<os>_<arch>.tar.gz(Linux, macOS) and.zip(Windows) foramd64andarm64 - Linux packages —
.deb,.rpm, and.apk checksums.txt— SHA-256 of every asset, pluschecksums.txt.sigstore.json, its keyless cosign signature- SBOMs — one per archive
datamitsu_parsers_<version>.wasm— the parser module (downloaded by the CLI on demand, verified against the signedchecksums.txt)datamitsu-<version>.vsix— the VS Code extension for manual installs
Binary archive
VERSION=0.1.13
curl -LO "https://github.com/datamitsu/datamitsu/releases/download/v${VERSION}/datamitsu_${VERSION}_linux_amd64.tar.gz"
tar -xzf "datamitsu_${VERSION}_linux_amd64.tar.gz"
sudo install -m 0755 datamitsu /usr/local/bin/datamitsu
Linux packages
# Debian / Ubuntu
sudo dpkg -i datamitsu_${VERSION}_linux_amd64.deb
# Fedora / RHEL
sudo rpm -i datamitsu_${VERSION}_linux_amd64.rpm
# Alpine
sudo apk add --allow-untrusted datamitsu_${VERSION}_linux_amd64.apk
Verify downloads
Check the SHA-256 against checksums.txt:
curl -LO "https://github.com/datamitsu/datamitsu/releases/download/v${VERSION}/checksums.txt"
sha256sum --ignore-missing -c checksums.txt
checksums.txt itself is signed in CI with keyless cosign. Verify the
signature to establish that the checksums came from this repository's release
workflow:
curl -LO "https://github.com/datamitsu/datamitsu/releases/download/v${VERSION}/checksums.txt.sigstore.json"
cosign verify-blob \
--bundle checksums.txt.sigstore.json \
--certificate-identity-regexp 'https://github.com/datamitsu/datamitsu/.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt
Release artifacts also carry GitHub build provenance attestations:
gh attestation verify datamitsu_${VERSION}_linux_amd64.tar.gz --repo datamitsu/datamitsu
See Supply Chain Security for the full verification model.