sixafter · mprimeaux · Nov 20, 2025 · Nov 20, 2025
@@ -61,7 +61,7 @@ jobs:
 
       # Ref: https://github.com/golangci/golangci-lint-action
       - name: Lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         with:
           args: --config=.golangci.yaml --verbose
 

@@ -29,3 +29,4 @@ out/
 .vscode/
 
 dist/
+tmp/
@@ -17,6 +17,24 @@ Date format: `YYYY-MM-DD`
 ### Fixed
 ### Security
 
+---
+
+## [1.52.0] - 2025-11-20
+
+### Added
+- **risk:** Added `signature-verify` make target to verify latest release's digital signatures for the current GOOS and GOARCH combination.
+
+### Changed
+- **debt:** Upgraded dependencies to their latest stable versions.
+
+### Deprecated
+### Removed
+### Fixed
+- **defect:** Fixed `README.md` instructions for verifying module checksums.
+
+### Security
+- **risk:** Upgraded `golang.org/x/crypto` to `v0.45.0` to address vulnerabilities.
+
 ---
 ## [1.51.3] - 2025-11-07
 
@@ -365,7 +383,8 @@ Date format: `YYYY-MM-DD`
 ### Fixed
 ### Security
 
-[Unreleased]: https://github.com/sixafter/types/compare/v1.51.3...HEAD
+[Unreleased]: https://github.com/sixafter/types/compare/v1.52.0...HEAD
+[1.52.0]: https://github.com/sixafter/types/compare/v1.51.3...v1.52.0
 [1.51.3]: https://github.com/sixafter/types/compare/v1.50.0...v1.51.3
 [1.50.0]: https://github.com/sixafter/types/compare/v1.49.0...v1.50.0
 [1.49.0]: https://github.com/sixafter/types/compare/v1.48.0...v1.49.0

@@ -92,8 +92,15 @@ vuln: ## Check for vulnerabilities
 
 .PHONY: release-verify
 release-verify: ## Verify the release
-	rm -fr dist
-	goreleaser --config .goreleaser.yaml release --snapshot
+	@scripts/verify-release.sh
+
+.PHONY: module-verify
+mod-verify: ## Verify Go module integrity
+	@scripts/verify-mod.sh
+
+.PHONY: signature-verify
+signature-verify: ## Verify latest release's digital signatures
+	@scripts/verify-sig.sh
 
 .PHONY: help
 help: ## Display this help screen

@@ -32,43 +32,42 @@ To verify the integrity of the `types` source, run the following commands:
 # Fetch the latest release tag from GitHub API (e.g., "v1.52.0")
 TAG=$(curl -s https://api.github.com/repos/sixafter/types/releases/latest | jq -r .tag_name)
 
-# Remove leading "v" for filenames (e.g., "v1.52.0" -> "1.52.0")
+# Remove the leading "v" for filenames (e.g., "v1.52.0" -> "1.52.0")
 VERSION=${TAG#v}
 
 # ---------------------------------------------------------------------
 # Verify the source archive using Sigstore bundles
 # ---------------------------------------------------------------------
 
-# Download the release tarball and its corresponding bundle
-curl -LO https://github.com/sixafter/types/releases/download/${TAG}/types-${VERSION}.tar.gz
-curl -LO https://github.com/sixafter/types/releases/download/${TAG}/types-${VERSION}.tar.gz.bundle.json
+# Download the release tarball and its signature bundle
+curl -LO "https://github.com/sixafter/types/releases/download/${TAG}/types-${VERSION}.tar.gz"
+curl -LO "https://github.com/sixafter/types/releases/download/${TAG}/types-${VERSION}.tar.gz.sigstore.json"
 
-# Verify the tarball with Cosign using your published public key
+# Verify the tarball with Cosign using the published public key
 cosign verify-blob \
-  --key https://raw.githubusercontent.com/sixafter/types/main/cosign.pub \
-  --bundle types-${VERSION}.tar.gz.bundle.json \
-  types-${VERSION}.tar.gz
+  --key "https://raw.githubusercontent.com/sixafter/types/main/cosign.pub" \
+  --bundle "types-${VERSION}.tar.gz.sigstore.json" \
+  "types-${VERSION}.tar.gz"
 
 # ---------------------------------------------------------------------
 # Verify the checksums manifest using Sigstore bundles
 # ---------------------------------------------------------------------
 
-# Download checksums.txt and its bundle
-curl -LO https://github.com/sixafter/types/releases/download/${TAG}/checksums.txt
-curl -LO https://github.com/sixafter/types/releases/download/${TAG}/checksums.txt.bundle.json
+curl -LO "https://github.com/sixafter/types/releases/download/${TAG}/checksums.txt"
+curl -LO "https://github.com/sixafter/types/releases/download/${TAG}/checksums.txt.sigstore.json"
 
-# Verify checksums.txt with Cosign using your public key
+# Verify checksums.txt with Cosign
 cosign verify-blob \
-  --key https://raw.githubusercontent.com/sixafter/types/main/cosign.pub \
-  --bundle checksums.txt.bundle.json \
-  checksums.txt
+  --key "https://raw.githubusercontent.com/sixafter/types/main/cosign.pub" \
+  --bundle "checksums.txt.sigstore.json" \
+  "checksums.txt"
 
 # ---------------------------------------------------------------------
 # Confirm local artifact integrity
 # ---------------------------------------------------------------------
 
-# Compute and validate checksums locally
-shasum -a 256 -c checksums.txt
+shasum -a 256 -c checksups.txt
+
 ```
 
 If valid, Cosign will output:

@@ -81,3 +81,26 @@ function is_windows() {
 
   return $(false)
 }
+
+function goos() {
+  case "$(detect_os)" in
+    Linux)  echo "linux" ;;
+    macOS)  echo "darwin" ;;
+    Windows) echo "windows" ;;
+    *) echo "unsupported"; return 1 ;;
+  esac
+}
+
+function goarch() {
+  local ARCH
+  ARCH=$(uname -m)
+
+  case "$ARCH" in
+    x86_64|amd64)  echo "amd64" ;;
+    arm64|aarch64) echo "arm64" ;;
+    armv6l)        echo "armv6" ;;
+    armv7l)        echo "armv7" ;;
+    i386|i686)     echo "386" ;;
+    *) echo "unsupported"; return 1 ;;
+  esac
+}
@@ -0,0 +1,95 @@
+#!/bin/bash
+# Copyright (c) 2024-2025 Six After, Inc.
+#
+# This source code is licensed under the Apache 2.0 License found in the
+# LICENSE file in the root directory of this source tree.
+set -euo pipefail
+
+__dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${__dir}"/os-type.sh
+
+# Windows
+if is_windows; then
+    echo "[ERROR] Windows is not currently supported." >&2
+    exit 1
+fi
+
+# Ensure tmp directory exists
+mkdir -p tmp
+rm tmp/*.zip 2>/dev/null || true
+
+# ------------------------------------------------------------
+# Detect latest release (README method)
+# ------------------------------------------------------------
+REPO_OWNER="sixafter"
+REPO_NAME="types"
+MODULE="github.com/${REPO_OWNER}/${REPO_NAME}"
+
+TAG=$(curl -s "https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/releases/latest" | jq -r .tag_name)
+VERSION=${TAG#v}
+
+echo "Latest release: $TAG (version: $VERSION)"
+
+# ------------------------------------------------------------
+# Portable SHA-256 function (macOS + Linux)
+# ------------------------------------------------------------
+if command -v sha256sum >/dev/null 2>&1; then
+  SHA256="sha256sum"
+else
+  SHA256="shasum -a 256"
+fi
+
+# ------------------------------------------------------------
+# 1. GitHub Tag ZIP
+# ------------------------------------------------------------
+echo "Downloading GitHub tag archive..."
+curl -sSfL -o tmp/github.zip \
+  "https://github.com/${REPO_OWNER}/${REPO_NAME}/archive/refs/tags/${TAG}.zip"
+
+GITHUB_SHA=$($SHA256 tmp/github.zip | awk '{print $1}')
+echo "GitHub ZIP SHA256:  $GITHUB_SHA"
+
+# ------------------------------------------------------------
+# 2. Direct go mod ZIP
+# ------------------------------------------------------------
+echo "Downloading go mod ZIP using direct mode..."
+
+MOD_JSON=$(GOPROXY=direct go mod download -json "${MODULE}@${TAG}")
+MOD_ZIP_PATH=$(echo "$MOD_JSON" | jq -r '.Zip')
+
+if [ ! -f "$MOD_ZIP_PATH" ]; then
+  echo "ERROR: The go mod ZIP path does not exist:"
+  echo "$MOD_ZIP_PATH"
+  exit 1
+fi
+
+cp "$MOD_ZIP_PATH" tmp/gomod.zip
+GOMOD_SHA=$($SHA256 tmp/gomod.zip | awk '{print $1}')
+echo "go mod ZIP SHA256:  $GOMOD_SHA"
+
+# ------------------------------------------------------------
+# 3. Go Proxy ZIP
+# ------------------------------------------------------------
+echo "Downloading Go module proxy ZIP..."
+curl -sSfL -o tmp/proxy.zip \
+  "https://proxy.golang.org/${MODULE}/@v/${TAG}.zip"
+
+PROXY_SHA=$($SHA256 tmp/proxy.zip | awk '{print $1}')
+echo "Proxy ZIP SHA256:   $PROXY_SHA"
+
+# ------------------------------------------------------------
+# Comparison
+# ------------------------------------------------------------
+echo
+echo "Comparing checksums..."
+echo "GitHub : $GITHUB_SHA"
+echo "go mod : $GOMOD_SHA"
+echo "Proxy  : $PROXY_SHA"
+echo
+
+if [ "$GITHUB_SHA" != "$GOMOD_SHA" ] || [ "$GITHUB_SHA" != "$PROXY_SHA" ]; then
+  echo "ERROR: CHECKSUM MISMATCH DETECTED!"
+  exit 1
+fi
+
+echo "Go module archive is fully reproducible across GitHub, direct, and proxy."