Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Verifying downloads

Every released nxvim binary ships with a SHA-256 checksum and a signed build provenance attestation proving it was built by this repository’s release workflow.

Checksums

Each release (stable and edge) includes a SHA256SUMS file. After downloading an archive into the same directory:

sha256sum --ignore-missing -c SHA256SUMS

Provenance attestation

Requires the GitHub CLI. Verify an archive against the attestation GitHub stores for it:

gh attestation verify nxvim-0.2.0-x86_64-linux.tar.gz --repo davidrios/nxvim

A successful run confirms the artifact was produced by the nxvim release workflow at a specific commit, and was not tampered with afterwards.

macOS signature & notarization

The macOS binaries are signed with an Apple Developer ID Application certificate, built with the hardened runtime, and notarized by Apple, so they run on any Mac without a Gatekeeper override. Confirm locally:

# Signature, authority chain, hardened runtime (look for flags=...(runtime)):
codesign -dv --verbose=4 nxvim

# Gatekeeper assessment — "accepted" / "source=Notarized Developer ID" (needs network):
spctl -a -t exec -vv nxvim

The TUI binary is not stapled (Apple does not support stapling a notarization ticket to a standalone executable), so the spctl check performs an online verification. A terminal install (curl … | tar xz) sets no quarantine attribute and runs offline regardless.