Skip to content

v0.2.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 20 May 11:56
· 33 commits to main since this release
v0.2.0
This tag was signed with the committer’s verified signature.
FlUxIuS Sébastien Dudek
GPG key ID: 09F8063D55D60A54
Verified
Learn about vigilant mode.
9e227b6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Verify your download

Cryptographic provenance (GitHub / Sigstore attestation)

Every artifact below is signed via GitHub Artifact
Attestations,
which uses Sigstore under the hood. The signature proves
the artifact was produced by this exact workflow run on
this exact commit SHA, no human had a chance to swap it
after the fact.

Verify with the GitHub CLI (one-liner):

# Install gh once if you don't have it:
#   sudo apt install gh   |   sudo dnf install gh   |   brew install gh
gh attestation verify <downloaded-file> --owner penthertz
# Prints "Loaded digest ..." then "PASS" with the
# workflow run + commit SHA the artifact came from.

Offline check (no gh needed)

Every artifact also has a SHA-256 in SHA256SUMS.txt
(attached to this release):

# Linux / macOS:
sha256sum -c SHA256SUMS.txt   # Linux
shasum -a 256 -c SHA256SUMS.txt   # macOS
# Windows (PowerShell):
Get-FileHash luksbox-*.msi -Algorithm SHA256
# then compare to the `*.msi` row in SHA256SUMS.txt

Trust chain summary

Artifacts on this release page are uploaded only by the
GitHub Actions release workflow that ran on this tagged
commit (.github/workflows/release.yml in the repo).
The commit itself is GPG-signed by the maintainer, the
upload uses GitHub's OIDC release token, and the
Sigstore attestation above pins the signature to that
workflow run. GPG-signed release tarballs
(SHA256SUMS.txt.asc) and full SLSA L3 provenance are
on the roadmap.

For at-a-glance SHA-256 checking against the published
values:

File SHA-256
luksbox-0.2.0-1.aarch64.rpm 73ca30df245a84b47be3f78fee996b13e1fd401b5dfc3808309e03d8fd458f6c
luksbox-0.2.0-1.x86_64.rpm 4a5334e550cd36d5c653027de0858fe564ef648505b0922c2c3ade7d300d419d
luksbox-v0.2.0-aarch64-linux-jammy.tar.gz d067182bdc38179709de4e59a17d48c5260510765cb20849b865f0952d42475d
luksbox-v0.2.0-aarch64-macos-fuset-portable.tar.gz 17955aff62a7097639d866acd5c9cb528d3bc1fc4bab9aad73d524879ae7318e
luksbox-v0.2.0-aarch64-macos-fuset.dmg 8f0c30251a3a746da0b2d89cdcf8b674c4df56896f276922b4f753e2de378bf0
luksbox-v0.2.0-x86_64-linux-jammy.tar.gz d051729656f9fa9801d9b3c17b028a6cef2b011551dc64cdf0c23497b26f1eb9
luksbox-v0.2.0-x86_64-windows-setup.exe 8f1254824e2df4cf74f36ed626c9359bc2418cc66358a57c141a065b16f66f58
luksbox-v0.2.0-x86_64-windows.msi 219499a282740332d5693cb5f2397653e21b94350c08208454fdb14d917954b4
luksbox-v0.2.0-x86_64-windows.zip 9b9b930bd92e28df5e730c005f9d37cb6122b8884c674f0000e7048e792eeb22
luksbox_0.2.0-1_jammy_amd64.deb e5628eb16085bcb59d540609ab8092479e945d34842b8011e8366796165da73a
luksbox_0.2.0-1_jammy_arm64.deb 1b0eb9df4e1a360e2c3f127a43abc06a64c4fecdc93ba73c36c1b64178d37606
luksbox_0.2.0-1_noble_amd64.deb 787f406a459ffdfe4ef38b2982aa9908af7e8d1f26a5bf9fe0c4e54d867f12b8
luksbox_0.2.0-1_noble_arm64.deb e8ba7504ca387a48e01b40223854f962538f0c30a07898542c02c245bee1a4ab

Install

Linux (Ubuntu 22.04, Debian 11/12, Mint 21.x, .deb):
download luksbox_*_jammy_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_jammy_amd64.deb.
Pulls in libfido2-1, libfuse3-3, and libtss2-*
automatically. Registers a luksbox-gui desktop
launcher and a MIME type for .lbx files.

Linux (Ubuntu 24.04+, Debian 13+ trixie, .deb):
download luksbox_*_noble_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_noble_amd64.deb.
Same package layout as the jammy build, but with
t64-transitioned dependency names (libssl3t64,
libfido2-1t64, libtss2-mu-4.0.1-0t64, etc.). The
jammy and noble .deb files cannot be installed
interchangeably, the dependency names differ.

Linux (Fedora / RHEL / Rocky / Alma, .rpm): download
luksbox-*.x86_64.rpm (or aarch64.rpm) and install
with sudo dnf install ./luksbox-*.x86_64.rpm (or
sudo rpm -i). One .rpm covers every rpm-based
distro, RPM uses SONAMEs for shared-library
dependencies which are stable across releases.
Pulls in libfido2 and fuse3-libs automatically.

Linux (x86_64, generic tarball): tar xzf luksbox-v0.2.0-x86_64-linux-jammy.tar.gz && cd luksbox-v0.2.0-x86_64-linux-jammy && ./install.sh
For Arch / NixOS / Alpine / any non-deb non-rpm distro.
The jammy variant has the broadest glibc compatibility;
if you are on a very recent distro and prefer the noble
build, swap -jammy for -noble in the filename.
Installs to ~/.local/bin and registers a desktop launcher.
Use ./install.sh --system for system-wide install, or
./install.sh --uninstall to remove. Requires
libfido2-1 (and libfuse3-3 for mount):
sudo apt install libfido2-1 libfuse3-3 (Debian/Ubuntu)
or sudo dnf install libfido2 fuse3-libs (Fedora/RHEL).

Linux (aarch64): tar xzf luksbox-v0.2.0-aarch64-linux-jammy.tar.gz && cd luksbox-v0.2.0-aarch64-linux-jammy && ./install.sh
Same runtime deps and installer as x86_64. Built natively
on a GitHub ARM64 runner, no QEMU emulation. Same
jammy/noble distinction applies as for the .deb above.

macOS (Apple Silicon): two .dmg variants, one per
FUSE backend. Pick one based on which FUSE provider you
want to install. Both .dmgs are otherwise identical
(same crypto, same on-disk format, same UI); the
difference is what luksbox mount calls under the hood
and whether you need a kernel extension.

FUSE-T variant (recommended for personal laptops):

  download: luksbox-v0.2.0-aarch64-macos-fuset.dmg
  install FUSE-T first:
      brew tap macos-fuse-t/homebrew-cask
      brew install --cask fuse-t
  then drag LUKSbox.app onto Applications.

No kernel extension, no Privacy & Security prompt, no
Apple-Silicon Reduced-Security dance. The .app launches
cleanly even if FUSE-T isn't installed yet (you just
can't use mount until you install it). Uses an NFS-
over-loopback transport with NO authentication on the
loopback port - on a multi-user Mac, any other local
process can connect to the mount via NFSv4 and bypass
LUKSbox's permission model. Documented in
docs/MACOS_FUSE_T.md.
Fine for the common single-user-laptop case.

macFUSE variant (recommended for shared machines or
audit-required deployments):

  download: luksbox-v0.2.0-aarch64-macos-macfuse.dmg
  install macFUSE FIRST (REQUIRED, see warning below):
      brew install --cask macfuse
      # then approve the kext under System Settings
      # -> Privacy & Security and reboot. On Apple
      # Silicon also: Recovery Mode -> Startup Security
      # Utility -> Reduced Security.
  then drag LUKSbox.app onto Applications.

IMPORTANT: this variant transitively links macFUSE's
MFMount.framework. If macFUSE is NOT installed when you
try to launch LUKSbox.app, macOS kills the process
before it can show any UI (dyld: Library not loaded
error). Install macFUSE first, then the LUKSbox.app.
Uses macFUSE's /dev/macfuse* device-node permissions
for the kernel<->FS channel, which restricts access to
the mounting UID - the better local-attacker model.

Verify which backend a given .app uses:

  /Applications/LUKSbox.app/Contents/MacOS/luksbox --version
  # luksbox X.Y.Z
  # FUSE backend: fuse-t (...)   <- FUSE-T variant
  # FUSE backend: macfuse (...)  <- macFUSE variant

macOS (Apple Silicon), portable .tar.gz: also two
variants, -fuset-portable.tar.gz and -macfuse-portable.tar.gz,
same backend split as the .dmgs. Ships the bare CLI +
GUI binaries (bin/luksbox, bin/luksbox-gui) with
their dylib closure under Frameworks/. Run in place:
./bin/luksbox --help or ./bin/luksbox-gui &. No
.app, no Gatekeeper warning, no quarantine xattr to
clear (when extracted via Terminal). See
README-MACOS.txt inside for the full layout + caveats.

First launch: the .dmg is codesigned with the
Penthertz Apple Developer ID Application certificate
(team 456J2U7HQL) and Apple-notarised, with the
notarisation ticket stapled to the bundle. macOS shows
the standard "downloaded from internet, are you sure?"
prompt that every Mac shows for any downloaded app -
click Open and you're set. Subsequent launches are
silent. No Gatekeeper override and no
xattr -dr com.apple.quarantine workaround needed.

Verify the signature and notarisation locally:

# Signature: identity + chain trust
codesign --verify --deep --strict --verbose=2 \
    /Applications/LUKSbox.app

# Notarisation: ticket present + valid
spctl --assess --type execute --verbose \
    /Applications/LUKSbox.app
# expects: "accepted, source=Notarized Developer ID"

You can additionally verify the .dmg SHA-256 against
the table at the top of these release notes for an
independent integrity check that doesn't depend on
Apple's PKI.

macOS (Intel): not shipped, build from source with
cargo build --profile release-hardened on an Intel Mac
with brew install libfido2 (the release-hardened
profile matches the hardening flags used for the shipped
Apple-Silicon binary). The CI matrix entry for
x86_64-apple-darwin is commented out in
.github/workflows/release.yml, GitHub's macos-13
runner has been intermittently blocking releases.

Windows (x86_64), recommended: download
luksbox-v0.2.0-x86_64-windows-setup.exe,
double-click. The bootstrapper installs WinFsp 2.0.23075
(if not already present) AND LUKSbox in one wizard.
Unattended deploy: LUKSboxSetup.exe /quiet. To skip
WinFsp (e.g., you manage it via Group Policy):
LUKSboxSetup.exe InstallWinFsp=0. WinFsp is bundled
under its non-GPL-app linking exception; full license
ships as LICENSE-WINFSP.txt in the install dir.

Windows (x86_64), IT-admin / bare MSI: download
luksbox-v0.2.0-x86_64-windows.msi. This
MSI does not include WinFsp; install WinFsp 2.x
separately from https://winfsp.dev/rel/ first
(LUKSbox statically links winfsp-x64.dll and the MSI
refuses to install without it). For unattended deploy
behind Group Policy / SCCM / Intune where WinFsp is
managed as a separate dependency, this is the right
artifact. Otherwise the -setup.exe above is easier.

Windows (x86_64), portable: unzip
luksbox-v0.2.0-x86_64-windows.zip
and run the .exe in place. No installation, no Start
menu entry, no PATH change. Same binaries as the MSI.
Because nothing was added to PATH, you must either
(a) run from a shell where <WinFspInstall>\bin is on
PATH, or (b) drop a copy of winfsp-x64.dll next to
luksbox.exe in the unzipped folder.

libfido2 is statically linked into the .exe; no runtime
install needed for FIDO2.

See the Verify your download section at the top for
checksum verification commands.

What's Changed

New Contributors

  • @FlUxIuS made their first contribution in #6
  • @sagittarius-a metadata checks that have been extended & readapted to denial mode too

Full Changelog: v0.1.1...v0.2.0

Contributors

FlUxIuS and sagittarius-a
Assets 17
Loading