Release Introduction

Shyft provides pre-built, cryptographically signed release packages to simplify installation and deployment.

These releases are intended for users and operators who require:

  • reliable installation across supported platforms

  • verifiable software integrity and authenticity

  • traceability from distributed artifacts back to source code

Because Shyft is often used in operational and analytical environments where correctness is critical, the release process is designed to support independent verification and auditability.

What Is an Official Release?

An official Shyft release consists of:

  • Binary packages for supported platforms

  • A provenance document (PROVENANCE.txt)

  • A detached signature of the provenance document

  • The public release signing key

Only artifacts that have been produced through the documented release process and explicitly signed are considered official Shyft releases.

Trust and Verification

Shyft releases are part of a verifiable trust chain:

Maintainer identity
    ↓
OpenPGP signing key
    ↓
Signed source commits and tags
    ↓
Controlled build process
    ↓
Signed release artifacts and provenance
    ↓
User verification before installation

Users are encouraged to verify release artifacts before installation.

How to Use This Section

This section describes how Shyft releases are produced, signed, and verified.

The main documents are:

Relationship to Security

The release process relies on secure key management and hardware-backed signing.

These topics are described in:

Security

Scope

The Shyft release model provides:

  • cryptographic authenticity of release artifacts

  • traceability from source code to distributed packages

  • support for reproducible and auditable builds

However, it does not replace the need for organizational governance, secure infrastructure, or operational controls in high-security environments.

These aspects are addressed separately in the governance documentation.