Release Overview¶
Shyft distributes binary packages to simplify installation and deployment. These packages are provided as a convenience for users who prefer not to build the software directly from source.
Because Shyft is used in operational environments where correctness and software integrity are critical, official releases are cryptographically signed and accompanied by provenance information.
Release artifacts therefore include:
Signed package files
A provenance document (
PROVENANCE.txt)A detached signature of the provenance document
The public signing key
These components allow users to independently verify:
Package integrity
Package authenticity
The relationship between the package and the source repository
Release artifacts are published through distribution channels such as the GitLab package registry and static repository hosting.
Only artifacts that have been produced through the documented release procedure and explicitly signed are considered official Shyft releases.
Example Quick verification:
gpg --verify PROVENANCE.txt.asc PROVENANCE.txt
rpm -Kv *.rpm
The release process, signing model, and verification procedures are described in:
Trust Model Summary¶
Shyft establishes trust through a layered and verifiable process:
Maintainer identity
↓
OpenPGP signing key
↓
Signed source commits and tags
↓
Controlled and reproducible build
↓
Signed release artifacts and provenance
↓
User verification before installation
Each step in this chain can be independently verified.
Scope and Limitations¶
The release procedure described here is designed to provide a transparent, reproducible, and verifiable software distribution model.
Shyft release artifacts are built from signed source tags using controlled build environments and are signed using hardware-backed keys. This minimizes the trust boundary and ensures that the release process can be audited and reproduced.
However, this release process does not by itself satisfy the full security requirements of operational technology (OT) environments such as those used in critical energy-market infrastructure.
Additional Controls Required in High-Security Environments¶
In such environments additional controls are typically required, for example:
Dedicated trusted build infrastructure
Strict separation between development and operational networks
Mandatory vulnerability scanning of source dependencies
Static and dynamic code analysis
Reproducible build verification
Controlled artifact promotion between security zones
Independent security review and auditing
These topics are further discussed in:
Future Hardening Considerations¶
The current Shyft release process is designed to minimize the trust boundary and provide strong guarantees through controlled build environments and hardware-backed signing.
The current Shyft project structure and team size do not require these additional controls, but they are documented here to support future evolution and adoption in more strictly governed environments.
For environments with higher assurance requirements, additional hardening measures may be introduced in future versions of the release process.
Examples include:
Restricting release tag signing to a dedicated set of approved release keys
Maintaining an allowlist of approved release-signing keys governed within the trusted domain
Maintaining an allowlist of approved commit-signing keys for contributors
Enforcing that commits and tags are signed by approved keys before being accepted into protected branches
Signing and version-controlling the allowlist(s) of approved keys
Requiring multi-party approval (“two-person rule”) for release authorization
Separation of roles between contributors, build operators, and release authorities
These controls strengthen the integrity of the source repository by ensuring that only contributions from explicitly approved identities are accepted.
These mechanisms further strengthen the trust model by introducing explicit governance and separation of duties.
However, they also require additional operational procedures and coordination, and are therefore not part of the current baseline release process.
Trusted Build and Release Architecture¶
Shyft uses a controlled and reproducible build pipeline where both the build process and the signing process are executed within infrastructure that is logically and physically controlled by the organization.
A typical secure build pipeline consists of:
Controlled build hosts or build clusters, provisioned from audited base images
Strict separation between development environments and release infrastructure
Verified source inputs (signed commits and tags)
Deterministic or reproducible build procedures
Isolated artifact storage within the trusted domain
Hardware-backed signing using offline or access-controlled keys
Controlled promotion of artifacts between security zones
The following conceptual flow illustrates this model:
flowchart TD
A["Signed source tag"] --> B["Controlled build environment"]
B --> C["Reproducible build artifacts"]
C --> D["Isolated artifact storage"]
D --> E["Trusted signing host<br/>Nitrokey"]
E --> F["Signed release artifacts"]
F --> G["Controlled distribution"]
In this architecture:
The build environment is part of the trusted domain
The release process does not depend on external CI/CD systems
The signing process remains the primary trust anchor, operating within a reduced and auditable trust boundary
The entire pipeline can be audited, reproduced, and verified end-to-end
Transitioning to this model reduces dependency on third-party infrastructure and minimizes the overall attack surface of the software supply chain.
The Shyft release tooling and documentation support this architecture through:
Version-controlled build environment definitions (e.g., container image recipes)
Reproducible packaging procedures across supported platforms
Tooling for verification of build inputs and outputs
Documentation and examples for operating secure build infrastructure
Organizations adopting Shyft in high-security environments are encouraged to implement this model, adapting it to their internal governance and regulatory requirements.
Release Artifact Contents¶
A typical release contains the following files:
shyft-runtime-<version>.rpm
shyft-development-<version>.rpm
shyft-python-<version>.rpm
PROVENANCE.txt
PROVENANCE.txt.asc
shyft-release-key.asc
The provenance file records metadata about the signing event and links the signed artifacts to the source revision and build procedure from which they were derived.