If you discover a security vulnerability, please report it privately via GitHub Security Advisories rather than opening a public issue.
All release artifacts are built in GitHub Actions and include cryptographic verification:
- SHA256 checksums — every release includes a
checksums.txtcontaining the SHA256 hash of each archive. - Cosign signature — the
checksums.txtfile is signed using Sigstore cosign with keyless OIDC signing, proving the artifacts were produced by the official CI workflow.
shp self-update automatically verifies the SHA256 checksum of downloaded archives before installing. If the checksum doesn't match, the update is refused.
Download the release assets (checksums.txt, checksums.txt.sig, checksums.txt.pem) and the archive you want to verify.
cosign verify-blob \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp "github\.com/shaffe-fr/php-shepherd" \
checksums.txtThis proves the checksums file was produced by the official GitHub Actions workflow for this repository.
# PowerShell
(Get-FileHash php-shepherd_*_windows_amd64.zip -Algorithm SHA256).Hash
# Compare with the corresponding line in checksums.txt# Bash / WSL
sha256sum -c checksums.txt --ignore-missing- All downloads (self-update, PECL extensions) enforce HTTPS only.
- Self-update download URLs are validated against a domain allowlist (github.com, objects.githubusercontent.com).
- Download sizes are capped to prevent resource exhaustion.
- Zip extraction includes zip-slip protection (path traversal prevention).
- Extension names are validated against a strict regex before being used in URLs.
- The
checksums.txtmust be present in the release — self-update refuses to proceed without it.