Transparency
Verify a download
What we can prove today
Every release is listed in a signed feed:
updates.json
+ detached signature
updates.json.sig.
The install commands on this site download that feed, verify the
Ed25519 signature with the public key below, then check the archive’s
SHA-256 before installing.
In-app updates on Windows and Linux use the same check. The public key
is also embedded in the Kairos source
(src/util/update_manifest.cpp) so you can compare it to
GitHub, not only to this page.
Ed25519 public key
95b165b1899922ef39ccd88636baeb2e602941ed4017a0d8a9cd157948d08b12
Quick check — Windows (PowerShell, no Python)
irm https://kairos.intentsync.dev/updates.json -OutFile updates.json irm https://kairos.intentsync.dev/updates.json.sig -OutFile updates.json.sig irm https://kairos.intentsync.dev/verify-release.ps1 -OutFile verify-release.ps1 # download kairos-windows.zip (or arm64), then: powershell -NoProfile -ExecutionPolicy Bypass -File .\verify-release.ps1 ` -Manifest updates.json -Signature updates.json.sig ` -Archive kairos-windows.zip -Platform windows-x64
Quick check — macOS / Linux (Python 3)
curl -fsSL -O https://kairos.intentsync.dev/updates.json curl -fsSL -O https://kairos.intentsync.dev/updates.json.sig curl -fsSL -O https://kairos.intentsync.dev/verify-release.py # download the archive for your platform, then: python3 verify-release.py \ --manifest updates.json \ --signature updates.json.sig \ --archive Kairos.dmg \ --platform macos
Platforms: macos, windows-x64,
windows-arm64, linux-x64.
Exit code 0 means the signature and hash matched.
What the installers already do
install.sh(Mac),install.ps1(Windows), andinstall-linux.shrefuse to install if verification fails.- Windows uses a PowerShell-native Ed25519 + SHA-256 check (no Python).
macOS/Linux installers use
python3(no pip packages). - Emergency override for local builds:
KAIROS_SKIP_VERIFY=1— prints a warning; don’t use it for downloads from the internet.
Honest gap: OS “verified publisher”
Cryptographic integrity is not the same as Apple notarization or Windows Authenticode. Until those land, macOS Gatekeeper and Windows SmartScreen may still warn — they look for an Apple/Microsoft publisher identity, which requires paid developer certificates we have not shipped yet.
So if a friend says “I only trust verified apps,” the accurate answer today is:
- You can verify the bits — Ed25519 + SHA-256 against the key on this page (and in source).
- The OS badge is not there yet — expect Gatekeeper / SmartScreen prompts; they are not a failed hash check.
- Name collision — “Kairos” is also used by unrelated threat actors in news write-ups. That is not this product. Prefer this site’s install command and the verify steps above over random search results.
What we will add next
- Apple Developer ID + notarization for the Mac app
- Windows Authenticode signing for the tray and daemon
- Those remove the OS scary prompts; they do not replace the Ed25519 feed (we keep both).