Release integrity¶
How to verify OntoCode / OntoIndex release artifacts from GitHub Releases.
Checksums¶
Each release includes SHA256SUMS with SHA-256 hashes of:
ontoindex-v<version>-x86_64-unknown-linux-gnu.tar.gz(CLI binary, Linux x64)ontoindex-lsp-v<version>-<platform>.tar.gz/.zip(per-platform LSP)ontocode-<version>.vsix(VS Code extension)NOTICES(third-party license summary)
Verify after download:
shasum -a 256 -c SHA256SUMS
On Linux you may use sha256sum -c SHA256SUMS instead.
Worked example (Linux x64 CLI)¶
VERSION=0.8.0 # replace with the release tag you are verifying
curl -fsSLO "https://github.com/eddiethedean/ontocode/releases/download/v${VERSION}/SHA256SUMS"
curl -fsSLO "https://github.com/eddiethedean/ontocode/releases/download/v${VERSION}/ontoindex-v${VERSION}-x86_64-unknown-linux-gnu.tar.gz"
sha256sum -c SHA256SUMS
tar xzf "ontoindex-v${VERSION}-x86_64-unknown-linux-gnu.tar.gz"
chmod +x "ontoindex-v${VERSION}-x86_64-unknown-linux-gnu"
./ontoindex-v${VERSION}-x86_64-unknown-linux-gnu --version
crates.io¶
Rust crates are published from CI using a restricted CARGO_REGISTRY_TOKEN. Install with:
cargo install ontoindex-cli --locked
Prefer --locked so dependency versions match the published crate.
VS Code extension¶
- Download the
.vsixfrom the release matching your platform (multi-platform VSIX bundlesontoindex-lsp). - Verify against
SHA256SUMS. - Install via Extensions → Install from VSIX…
ontocode.lspPath is a trusted-admin setting. In VS Code Restricted Mode (untrusted workspace), the extension ignores workspace lspPath and uses the bundled server.
Dependency auditing¶
CI runs cargo audit on the Rust workspace. Report vulnerable dependencies via security.md.
Future: signed artifacts¶
Code signing and Sigstore attestations for release binaries are planned. Until then, use checksums and install from the official GitHub Releases page only.