Verifying your download

Every zshot release artifact is signed with sigstore cosign so you can independently confirm the file you downloaded is the file we published.

What you need

• cosign version 2.0 or newer (brew install cosign on macOS, or follow the cosign install docs on Linux).
• The release artifact (.zip, .deb, or Docker image).
• Our public key, served at https://zshot-cli.com/cosign.pub and referenced from each entry in releases.json.

You don’t need a Sigstore account, an Apple ID, or any auth to verify — just the artifact, the bundle, and the public key.

What’s in the .sig file

Modern cosign emits a single signing bundle per artifact: a JSON blob containing the signature, the signer’s certificate, and the entry in the public Rekor transparency log. The file extension we use is .sig, but the file content is a bundle. Verify it by passing it to cosign verify-blob --bundle, not --signature.

Commands for the latest release

The example commands below verify zshot 0.1.10. Substitute another version or paste these into a script — the URL pattern is stable.

Each .sig file is a sigstore signing bundle — a single JSON blob that contains the signature, certificate, and Rekor transparency-log entry. Verify it with cosign verify-blob --bundle.

macOS (.zip)

curl -LO https://f004.backblazeb2.com/file/zshot-releases/cli/zshot-0.1.10-macos.zip
    curl -LO https://f004.backblazeb2.com/file/zshot-releases/cli/zshot-0.1.10-macos.zip.sig
    cosign verify-blob \
    --key https://zshot-cli.com/cosign.pub \
    --bundle zshot-0.1.10-macos.zip.sig \
    zshot-0.1.10-macos.zip

Linux (.deb)

curl -LO https://f004.backblazeb2.com/file/zshot-releases/cli/zshot-0.1.10-linux-amd64.deb
    curl -LO https://f004.backblazeb2.com/file/zshot-releases/cli/zshot-0.1.10-linux-amd64.deb.sig
    cosign verify-blob \
    --key https://zshot-cli.com/cosign.pub \
    --bundle zshot-0.1.10-linux-amd64.deb.sig \
    zshot-0.1.10-linux-amd64.deb

Docker image

cosign verify \
    --key https://zshot-cli.com/cosign.pub \
    scaleassembly/zshot:0.1.10

What success looks like

A successful cosign verify-blob exits with status 0 and prints Verified OK. Any tampering — whether of the binary, bundle, or key — produces a non-zero exit and an explicit error.

For the Docker image, cosign verify prints the verified signature payload as JSON when the signature is valid. The signature itself lives in the registry as a sibling tag, so you don’t need a separate --bundle argument. We sign the image manifest digest (not the tag), so cosign verify works against scaleassembly/zshot:VERSION, scaleassembly/zshot:latest, or scaleassembly/zshot@sha256:DIGEST — they all resolve to the same signed digest. The exact digest for each release is recorded in the manifest under artifacts.docker.digest.

Older releases

The bundle_url for each historical release lives in the release manifest. You can pull any past version’s bundle with the same cosign verify-blob --bundle form — just swap in the older version number.