Verification and checksum guide

Validate every artifact before installation to reduce supply-chain risk.

Verification checklist

Download binaries from official GitHub Releases.
Download matching checksum or signature files.
Compute local checksum and compare exactly.
Verify signature when signing keys are provided.

Example commands

# macOS / Linux
$ shasum -a 256 moaiy.pkg
# compare output with published SHA256 value
$ gpg --verify moaiy.pkg.sig moaiy.pkg

If verification fails

Do not execute the artifact.
Redownload from official release pages.
Report mismatches to [email protected].

Download Official artifact channel. Security Disclosure flow and assurance status. Release Notes Version-level changes and timing.