This document provides detailed instructions for verifying the integrity and authenticity of Inference Gateway CLI release binaries using SHA256 checksums and Cosign signatures.
Verifying release binaries ensures that:
- Integrity: The binary hasn't been corrupted during download
- Authenticity: The binary was genuinely released by the project maintainers
- Supply Chain Security: Protection against supply chain attacks and compromised binaries
All official Inference Gateway CLI releases are signed with Cosign to provide cryptographic verification of authenticity.
We provide two verification methods:
- SHA256 Checksum Verification (Basic): Verifies file integrity
- Cosign Signature Verification (Advanced): Verifies authenticity and integrity
This method verifies that the binary hasn't been corrupted during download.
# Download binary (replace with your platform)
curl -L -o infer-darwin-amd64 \
https://github.com/inference-gateway/cli/releases/latest/download/infer-darwin-amd64
# Download checksums file
curl -L -o checksums.txt \
https://github.com/inference-gateway/cli/releases/latest/download/checksums.txt# Calculate checksum of downloaded binary
shasum -a 256 infer-darwin-amd64
# Compare with checksums in checksums.txt
grep infer-darwin-amd64 checksums.txtThe output from both commands should match exactly. If they differ, do not use the binary and try downloading again.
Once verified, make the binary executable and install it:
chmod +x infer-darwin-amd64
sudo mv infer-darwin-amd64 /usr/local/bin/inferThis advanced method provides cryptographic verification that the binary was actually released by the project maintainers, protecting against supply chain attacks.
Install Cosign:
# macOS
brew install cosign
# Linux (using release binary)
wget https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
chmod +x cosign-linux-amd64
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
# Or install via go
go install github.com/sigstore/cosign/v2/cmd/cosign@latest# Download binary (replace with your platform)
curl -L -o infer-darwin-amd64 \
https://github.com/inference-gateway/cli/releases/latest/download/infer-darwin-amd64
# Download checksums and signature files
curl -L -o checksums.txt \
https://github.com/inference-gateway/cli/releases/latest/download/checksums.txt
curl -L -o checksums.txt.pem \
https://github.com/inference-gateway/cli/releases/latest/download/checksums.txt.pem
curl -L -o checksums.txt.sig \
https://github.com/inference-gateway/cli/releases/latest/download/checksums.txt.sigFirst, verify the basic checksum as described in the SHA256 section above:
# Calculate checksum of downloaded binary
shasum -a 256 infer-darwin-amd64
# Compare with checksums in checksums.txt
grep infer-darwin-amd64 checksums.txtNow verify that the checksums file was signed by the project's official release workflow:
# Decode base64 encoded certificate
cat checksums.txt.pem | base64 -d > checksums.txt.pem.decoded
# Verify the signature
cosign verify-blob \
--certificate checksums.txt.pem.decoded \
--signature checksums.txt.sig \
--certificate-identity "https://github.com/inference-gateway/cli/.github/workflows/release.yml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
checksums.txtSuccessful Output:
If verification succeeds, you should see output similar to:
Verified OK
Failed Verification:
If verification fails, do not use the binary. This could indicate:
- The binary has been tampered with
- You downloaded from an unofficial source
- There was an error in the release process
Once both SHA256 and Cosign verification pass, install the binary:
chmod +x infer-darwin-amd64
sudo mv infer-darwin-amd64 /usr/local/bin/inferReplace infer-darwin-amd64 with your platform's binary name:
| Platform | Architecture | Binary Name |
|---|---|---|
| macOS | Intel (amd64) | infer-darwin-amd64 |
| macOS | Apple Silicon (arm64) | infer-darwin-arm64 |
| Linux | amd64 | infer-linux-amd64 |
| Linux | arm64 | infer-linux-arm64 |
To verify a specific release version instead of the latest:
Replace latest in the download URLs with the version tag (e.g., v0.77.0):
# Example for version v0.77.0
curl -L -o infer-darwin-amd64 \
https://github.com/inference-gateway/cli/releases/download/v0.77.0/infer-darwin-amd64If the SHA256 checksums don't match:
- Retry the download: The download may have been interrupted or corrupted
- Check your network: Ensure you're not behind a proxy that modifies downloads
- Verify the source: Ensure you're downloading from the official GitHub releases page
If Cosign verification fails:
- Check Cosign version: Ensure you have a recent version of Cosign installed
- Verify certificate identity: Ensure the
--certificate-identitymatches exactly - Check file permissions: Ensure all downloaded files are readable
- Re-download files: The signature files may have been corrupted
If base64 -d fails:
# Try alternative decoding methods
base64 --decode checksums.txt.pem > checksums.txt.pem.decoded
# Or use openssl
openssl base64 -d -in checksums.txt.pem -out checksums.txt.pem.decoded- Always verify binaries before installation, especially in production environments
- Use HTTPS when downloading to prevent man-in-the-middle attacks
- Pin specific versions in automated deployments rather than using
latest - Store verification scripts in version control for reproducible builds
- Verify checksums AND signatures for maximum security (not just one method)