Release Introduction ==================== Shyft provides pre-built, cryptographically signed release packages to simplify installation and deployment. These releases are intended for users and operators who require: * reliable installation across supported platforms * verifiable software integrity and authenticity * traceability from distributed artifacts back to source code Because Shyft is often used in operational and analytical environments where correctness is critical, the release process is designed to support independent verification and auditability. What Is an Official Release? ---------------------------- An official Shyft release consists of: * Binary packages for supported platforms * A provenance document (``PROVENANCE.txt``) * A detached signature of the provenance document * The public release signing key Only artifacts that have been produced through the documented release process and explicitly signed are considered official Shyft releases. Trust and Verification ---------------------- Shyft releases are part of a verifiable trust chain: :: Maintainer identity ↓ OpenPGP signing key ↓ Signed source commits and tags ↓ Controlled build process ↓ Signed release artifacts and provenance ↓ User verification before installation Users are encouraged to verify release artifacts before installation. How to Use This Section ----------------------- This section describes how Shyft releases are produced, signed, and verified. The main documents are: * :doc:`overview` High-level description of release artifacts and trust model * :doc:`release-process` Detailed description of how releases are built and signed * :doc:`signing-keys` Information about the Shyft release signing keys * :doc:`package-verification` Step-by-step instructions for verifying release artifacts * :doc:`governance-and-infrastructure-control` Guidance for operating secure and controlled release and deployment infrastructure Relationship to Security ------------------------ The release process relies on secure key management and hardware-backed signing. These topics are described in: :doc:`../security/index` Scope ----- The Shyft release model provides: * cryptographic authenticity of release artifacts * traceability from source code to distributed packages * support for reproducible and auditable builds However, it does not replace the need for organizational governance, secure infrastructure, or operational controls in high-security environments. These aspects are addressed separately in the governance documentation.