Skip to content

v0.2.1

Choose a tag to compare

View all tags
@github-actions github-actions released this 22 May 21:07
· 40 commits to main since this release
v0.2.1
This tag was signed with the committer’s verified signature.
FlUxIuS Sébastien Dudek
GPG key ID: 09F8063D55D60A54
Verified
Learn about vigilant mode.
a4ae453
This commit was signed with the committer’s verified signature.
FlUxIuS Sébastien Dudek
GPG key ID: 09F8063D55D60A54
Verified
Learn about vigilant mode.

Verify your download

Cryptographic provenance (GitHub / Sigstore attestation)

Every artifact below is signed via GitHub Artifact
Attestations,
which uses Sigstore under the hood. The signature proves
the artifact was produced by this exact workflow run on
this exact commit SHA, no human had a chance to swap it
after the fact.

Verify with the GitHub CLI (one-liner):

# Install gh once if you don't have it:
#   sudo apt install gh   |   sudo dnf install gh   |   brew install gh
gh attestation verify <downloaded-file> --owner penthertz
# Prints "Loaded digest ..." then "PASS" with the
# workflow run + commit SHA the artifact came from.

Offline check (no gh needed)

Every artifact also has a SHA-256 in SHA256SUMS.txt
(attached to this release):

# Linux / macOS:
sha256sum -c SHA256SUMS.txt   # Linux
shasum -a 256 -c SHA256SUMS.txt   # macOS
# Windows (PowerShell):
Get-FileHash luksbox-*.msi -Algorithm SHA256
# then compare to the `*.msi` row in SHA256SUMS.txt

Trust chain summary

Artifacts on this release page are uploaded only by the
GitHub Actions release workflow that ran on this tagged
commit (.github/workflows/release.yml in the repo).
The commit itself is GPG-signed by the maintainer, the
upload uses GitHub's OIDC release token, and the
Sigstore attestation above pins the signature to that
workflow run. GPG-signed release tarballs
(SHA256SUMS.txt.asc) and full SLSA L3 provenance are
on the roadmap.

For at-a-glance SHA-256 checking against the published
values:

File SHA-256
luksbox-0.2.1-1.aarch64.rpm 53a4ca5d60d3463fbcf0e05754a170e62aa24decc0aa36c988cb13737a02a0de
luksbox-0.2.1-1.x86_64.rpm e58166ed4cf971015b7e5deb5b011c978bad1316da4f821180a90278af821e43
luksbox-v0.2.1-aarch64-linux-jammy.tar.gz 915493acddf078beb45889b187f0faa1a46501d8a3d3f21d057187d6ff14ed53
luksbox-v0.2.1-aarch64-macos-fuset-portable.tar.gz 6a35e1e7d7236869588177da20e76e1f3b885a95a9057e170f741fde04c7ecde
luksbox-v0.2.1-aarch64-macos-fuset.dmg a925572b2e3498e5816aa87c111b4744b74e5db8289ecf464f54de6b705cdda6
luksbox-v0.2.1-x86_64-linux-jammy.tar.gz 2cca92eb8601954c70bdd44c8af52e7db6e546c4a17830e712a682505d39523b
luksbox-v0.2.1-x86_64-windows-setup.exe a718a5131899e6e5d8f35fed7da1455e87f6008617a0d09cc79d23b6e8cea8c2
luksbox-v0.2.1-x86_64-windows.msi 78d3bfcddaae57393ccd028ae7633a73325904515d346661bfe08592da923c99
luksbox-v0.2.1-x86_64-windows.zip 45a6f625115a00b421d83dc2673ecd771dd8d6b0686d16db3a08563ddb49bffa
luksbox_0.2.1-1_jammy_amd64.deb a1d4ddfc261abe43f3ebe50114e80594de7d32aa152ea8e8160d65ef91096117
luksbox_0.2.1-1_jammy_arm64.deb 0b48eb5807ae21ba7ea5ad2633081505b1bf4cce1aa8f2434bdeb1222486cc45
luksbox_0.2.1-1_noble_amd64.deb 33300f00c76651f7b560e5240cf172717964a64e66b6ea935f799d056d8805d8
luksbox_0.2.1-1_noble_arm64.deb dc3510b4a68b338c744704d461145be6da5d5d9ad971370738dde878fbe10d85
luksbox_0.2.1-1_trixie_amd64.deb 5b32699964f4ac59448cd0346339b8c30a162d8f40618045722ef992e273f437
luksbox_0.2.1-1_trixie_arm64.deb d0ffaeb32d5cd276a7b1b1da1f853a3c302a3cdf9b2f79ed988b88c352851e7e

Install

Linux (Ubuntu 22.04, Debian 11/12, Mint 21.x, .deb):
download luksbox_*_jammy_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_jammy_amd64.deb.
Pulls in libfido2-1, libfuse3-3, and libtss2-*
automatically. Registers a luksbox-gui desktop
launcher and a MIME type for .lbx files.

Linux (Ubuntu 24.04+, Debian 13+ trixie, .deb):
download luksbox_*_noble_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_noble_amd64.deb.
Same package layout as the jammy build, but with
t64-transitioned dependency names (libssl3t64,
libfido2-1t64, libtss2-mu-4.0.1-0t64, etc.). The
jammy and noble .deb files cannot be installed
interchangeably, the dependency names differ.

Linux (Fedora / RHEL / Rocky / Alma, .rpm): download
luksbox-*.x86_64.rpm (or aarch64.rpm) and install
with sudo dnf install ./luksbox-*.x86_64.rpm (or
sudo rpm -i). One .rpm covers every rpm-based
distro, RPM uses SONAMEs for shared-library
dependencies which are stable across releases.
Pulls in libfido2 and fuse3-libs automatically.

Linux (x86_64, generic tarball): tar xzf luksbox-v0.2.1-x86_64-linux-jammy.tar.gz && cd luksbox-v0.2.1-x86_64-linux-jammy && ./install.sh
For Arch / NixOS / Alpine / any non-deb non-rpm distro.
The jammy variant has the broadest glibc compatibility;
if you are on a very recent distro and prefer the noble
build, swap -jammy for -noble in the filename.
Installs to ~/.local/bin and registers a desktop launcher.
Use ./install.sh --system for system-wide install, or
./install.sh --uninstall to remove. Requires
libfido2-1 (and libfuse3-3 for mount):
sudo apt install libfido2-1 libfuse3-3 (Debian/Ubuntu)
or sudo dnf install libfido2 fuse3-libs (Fedora/RHEL).

Linux (aarch64): tar xzf luksbox-v0.2.1-aarch64-linux-jammy.tar.gz && cd luksbox-v0.2.1-aarch64-linux-jammy && ./install.sh
Same runtime deps and installer as x86_64. Built natively
on a GitHub ARM64 runner, no QEMU emulation. Same
jammy/noble distinction applies as for the .deb above.

macOS (Apple Silicon): two .dmg variants, one per
FUSE backend. Pick one based on which FUSE provider you
want to install. Both .dmgs are otherwise identical
(same crypto, same on-disk format, same UI); the
difference is what luksbox mount calls under the hood
and whether you need a kernel extension.

FUSE-T variant (recommended for personal laptops):

  download: luksbox-v0.2.1-aarch64-macos-fuset.dmg
  install FUSE-T first:
      brew tap macos-fuse-t/homebrew-cask
      brew install --cask fuse-t
  then drag LUKSbox.app onto Applications.

No kernel extension, no Privacy & Security prompt, no
Apple-Silicon Reduced-Security dance. The .app launches
cleanly even if FUSE-T isn't installed yet (you just
can't use mount until you install it). Uses an NFS-
over-loopback transport with NO authentication on the
loopback port - on a multi-user Mac, any other local
process can connect to the mount via NFSv4 and bypass
LUKSbox's permission model. Documented in
docs/MACOS_FUSE_T.md.
Fine for the common single-user-laptop case.

macFUSE variant (recommended for shared machines or
audit-required deployments):

  download: luksbox-v0.2.1-aarch64-macos-macfuse.dmg
  install macFUSE FIRST (REQUIRED, see warning below):
      brew install --cask macfuse
      # then approve the kext under System Settings
      # -> Privacy & Security and reboot. On Apple
      # Silicon also: Recovery Mode -> Startup Security
      # Utility -> Reduced Security.
  then drag LUKSbox.app onto Applications.

IMPORTANT: this variant transitively links macFUSE's
MFMount.framework. If macFUSE is NOT installed when you
try to launch LUKSbox.app, macOS kills the process
before it can show any UI (dyld: Library not loaded
error). Install macFUSE first, then the LUKSbox.app.
Uses macFUSE's /dev/macfuse* device-node permissions
for the kernel<->FS channel, which restricts access to
the mounting UID - the better local-attacker model.

Verify which backend a given .app uses:

  /Applications/LUKSbox.app/Contents/MacOS/luksbox --version
  # luksbox X.Y.Z
  # FUSE backend: fuse-t (...)   <- FUSE-T variant
  # FUSE backend: macfuse (...)  <- macFUSE variant

macOS (Apple Silicon), portable .tar.gz: also two
variants, -fuset-portable.tar.gz and -macfuse-portable.tar.gz,
same backend split as the .dmgs. Ships the bare CLI +
GUI binaries (bin/luksbox, bin/luksbox-gui) with
their dylib closure under Frameworks/. Run in place:
./bin/luksbox --help or ./bin/luksbox-gui &. No
.app, no Gatekeeper warning, no quarantine xattr to
clear (when extracted via Terminal). See
README-MACOS.txt inside for the full layout + caveats.

First launch: the .dmg is codesigned with the
Penthertz Apple Developer ID Application certificate
(team 456J2U7HQL) and Apple-notarised, with the
notarisation ticket stapled to the bundle. macOS shows
the standard "downloaded from internet, are you sure?"
prompt that every Mac shows for any downloaded app -
click Open and you're set. Subsequent launches are
silent. No Gatekeeper override and no
xattr -dr com.apple.quarantine workaround needed.

Verify the signature and notarisation locally:

# Signature: identity + chain trust
codesign --verify --deep --strict --verbose=2 \
    /Applications/LUKSbox.app

# Notarisation: ticket present + valid
spctl --assess --type execute --verbose \
    /Applications/LUKSbox.app
# expects: "accepted, source=Notarized Developer ID"

You can additionally verify the .dmg SHA-256 against
the table at the top of these release notes for an
independent integrity check that doesn't depend on
Apple's PKI.

macOS (Intel): not shipped, build from source with
cargo build --profile release-hardened on an Intel Mac
with brew install libfido2 (the release-hardened
profile matches the hardening flags used for the shipped
Apple-Silicon binary). The CI matrix entry for
x86_64-apple-darwin is commented out in
.github/workflows/release.yml, GitHub's macos-13
runner has been intermittently blocking releases.

Windows (x86_64), recommended: download
luksbox-v0.2.1-x86_64-windows-setup.exe,
double-click. The bootstrapper installs WinFsp 2.0.23075
(if not already present) AND LUKSbox in one wizard.
Unattended deploy: LUKSboxSetup.exe /quiet. To skip
WinFsp (e.g., you manage it via Group Policy):
LUKSboxSetup.exe InstallWinFsp=0. WinFsp is bundled
under its non-GPL-app linking exception; full license
ships as LICENSE-WINFSP.txt in the install dir.

Windows (x86_64), IT-admin / bare MSI: download
luksbox-v0.2.1-x86_64-windows.msi. This
MSI does not include WinFsp; install WinFsp 2.x
separately from https://winfsp.dev/rel/ first
(LUKSbox statically links winfsp-x64.dll and the MSI
refuses to install without it). For unattended deploy
behind Group Policy / SCCM / Intune where WinFsp is
managed as a separate dependency, this is the right
artifact. Otherwise the -setup.exe above is easier.

Windows (x86_64), portable: unzip
luksbox-v0.2.1-x86_64-windows.zip
and run the .exe in place. No installation, no Start
menu entry, no PATH change. Same binaries as the MSI.
Because nothing was added to PATH, you must either
(a) run from a shell where <WinFspInstall>\bin is on
PATH, or (b) drop a copy of winfsp-x64.dll next to
luksbox.exe in the unzipped folder.

libfido2 is statically linked into the .exe; no runtime
install needed for FIDO2.

See the Verify your download section at the top for
checksum verification commands.

Full Changelog: v0.2.0...v0.2.1

Assets 19
Loading