Skip to content

v0.2.2

Choose a tag to compare

View all tags
@github-actions github-actions released this 04 Jun 08:06
· 16 commits to main since this release
v0.2.2
This tag was signed with the committer’s verified signature.
FlUxIuS Sébastien Dudek
GPG key ID: 09F8063D55D60A54
Verified
Learn about vigilant mode.
ecde527
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Verify your download

Cryptographic provenance (GitHub / Sigstore attestation)

Every artifact below is signed via GitHub Artifact
Attestations,
which uses Sigstore under the hood. The signature proves
the artifact was produced by this exact workflow run on
this exact commit SHA, no human had a chance to swap it
after the fact.

Verify with the GitHub CLI (one-liner):

# Install gh once if you don't have it:
#   sudo apt install gh   |   sudo dnf install gh   |   brew install gh
gh attestation verify <downloaded-file> --owner penthertz
# Prints "Loaded digest ..." then "PASS" with the
# workflow run + commit SHA the artifact came from.

Offline check (no gh needed)

Every artifact also has a SHA-256 in SHA256SUMS.txt
(attached to this release):

# Linux / macOS:
sha256sum -c SHA256SUMS.txt   # Linux
shasum -a 256 -c SHA256SUMS.txt   # macOS
# Windows (PowerShell):
Get-FileHash luksbox-*.msi -Algorithm SHA256
# then compare to the `*.msi` row in SHA256SUMS.txt

Trust chain summary

Artifacts on this release page are uploaded only by the
GitHub Actions release workflow that ran on this tagged
commit (.github/workflows/release.yml in the repo).
The commit itself is GPG-signed by the maintainer, the
upload uses GitHub's OIDC release token, and the
Sigstore attestation above pins the signature to that
workflow run. GPG-signed release tarballs
(SHA256SUMS.txt.asc) and full SLSA L3 provenance are
on the roadmap.

For at-a-glance SHA-256 checking against the published
values:

File SHA-256
luksbox-0.2.2-1.aarch64.rpm 307aa9e0da1fc210139365d873cf8671c8f243615107fe718deab56b66931d3d
luksbox-0.2.2-1.x86_64.rpm 47dab8986305678619704112c4fa26b5a7329df86033992b2baa65fbd2412c09
luksbox-v0.2.2-aarch64-linux-trixie.tar.gz 0eec5fee6c7d8e67c0c12fb0a61a95fd35968cd61a61dc87c9bdefa348880bee
luksbox-v0.2.2-aarch64-macos-macfuse-portable.tar.gz 12ffecb053d81acb03bc4fa152c1466ce3d47d2a8bda0bad42934d014111986f
luksbox-v0.2.2-aarch64-macos-macfuse.dmg 9966fa9c78f46de8dc297b0795c9b412d5577111f5b089577605873543aefeff
luksbox-v0.2.2-x86_64-linux-jammy.tar.gz d02ebc004d8dc7197bad3249e0d3197e9a0774adc2c3b84de7bc2dc014cfc72f
luksbox-v0.2.2-x86_64-windows-setup.exe 65e5263d1f1ccf5cb2a6981f158d3d0675685366b47df1c985120424b74a605d
luksbox-v0.2.2-x86_64-windows.msi 146a5308f537f6a8edab099da6d7374d7c87fafdf13ba56eb6030438bde25777
luksbox-v0.2.2-x86_64-windows.zip c996bcca17ef620dbbf8bcc5a40b3dfb8a9a4af068ab7c99fa3611b10bc3d4a8
luksbox_0.2.2-1_jammy_amd64.deb c6887488f1ce4181040616de053291010b4192f7b7b49b81918f33cb3ded26d3
luksbox_0.2.2-1_jammy_arm64.deb 34a2bbffb433d5ee5cf60d2f053eb8e790321762edeea616ad13bc738ee14e0b
luksbox_0.2.2-1_noble_amd64.deb 9dc5c02b110f9226a5a283fdf6a836062b267209ca6b643caa6d3007bcf1c332
luksbox_0.2.2-1_noble_arm64.deb f8d5e64bab1f9cfdea5d87baa7c00aabb5d780d411fc100687d8ef9afba26437
luksbox_0.2.2-1_trixie_amd64.deb 174425629c9cc0fd321a8ed106851d3cde44f5fd44a0ea65210740f718c8e3f0
luksbox_0.2.2-1_trixie_arm64.deb 70a7f1a95efed2848b2b33f6a1d215ac3a4dd105c054107335fc67e1eea97d6f

Install

Linux (Ubuntu 22.04, Debian 11/12, Mint 21.x, .deb):
download luksbox_*_jammy_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_jammy_amd64.deb.
Pulls in libfido2-1, libfuse3-3, and libtss2-*
automatically. Registers a luksbox-gui desktop
launcher and a MIME type for .lbx files.

Linux (Ubuntu 24.04+, Debian 13+ trixie, .deb):
download luksbox_*_noble_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_noble_amd64.deb.
Same package layout as the jammy build, but with
t64-transitioned dependency names (libssl3t64,
libfido2-1t64, libtss2-mu-4.0.1-0t64, etc.). The
jammy and noble .deb files cannot be installed
interchangeably, the dependency names differ.

Linux (Fedora / RHEL / Rocky / Alma, .rpm): download
luksbox-*.x86_64.rpm (or aarch64.rpm) and install
with sudo dnf install ./luksbox-*.x86_64.rpm (or
sudo rpm -i). One .rpm covers every rpm-based
distro, RPM uses SONAMEs for shared-library
dependencies which are stable across releases.
Pulls in libfido2 and fuse3-libs automatically.

Linux (x86_64, generic tarball): tar xzf luksbox-v0.2.2-x86_64-linux-jammy.tar.gz && cd luksbox-v0.2.2-x86_64-linux-jammy && ./install.sh
For Arch / NixOS / Alpine / any non-deb non-rpm distro.
The jammy variant has the broadest glibc compatibility;
if you are on a very recent distro and prefer the noble
build, swap -jammy for -noble in the filename.
Installs to ~/.local/bin and registers a desktop launcher.
Use ./install.sh --system for system-wide install, or
./install.sh --uninstall to remove. Requires
libfido2-1 (and libfuse3-3 for mount):
sudo apt install libfido2-1 libfuse3-3 (Debian/Ubuntu)
or sudo dnf install libfido2 fuse3-libs (Fedora/RHEL).

Linux (aarch64): tar xzf luksbox-v0.2.2-aarch64-linux-jammy.tar.gz && cd luksbox-v0.2.2-aarch64-linux-jammy && ./install.sh
Same runtime deps and installer as x86_64. Built natively
on a GitHub ARM64 runner, no QEMU emulation. Same
jammy/noble distinction applies as for the .deb above.

macOS (Apple Silicon): two .dmg variants, one per
FUSE backend. Pick one based on which FUSE provider you
want to install. Both .dmgs are otherwise identical
(same crypto, same on-disk format, same UI); the
difference is what luksbox mount calls under the hood
and whether you need a kernel extension.

FUSE-T variant (recommended for personal laptops):

  download: luksbox-v0.2.2-aarch64-macos-fuset.dmg
  install FUSE-T first:
      brew tap macos-fuse-t/homebrew-cask
      brew install --cask fuse-t
  then drag LUKSbox.app onto Applications.

No kernel extension, no Privacy & Security prompt, no
Apple-Silicon Reduced-Security dance. The .app launches
cleanly even if FUSE-T isn't installed yet (you just
can't use mount until you install it). Uses an NFS-
over-loopback transport with NO authentication on the
loopback port - on a multi-user Mac, any other local
process can connect to the mount via NFSv4 and bypass
LUKSbox's permission model. Documented in
docs/MACOS_FUSE_T.md.
Fine for the common single-user-laptop case.

macFUSE variant (recommended for shared machines or
audit-required deployments):

  download: luksbox-v0.2.2-aarch64-macos-macfuse.dmg
  install macFUSE FIRST (REQUIRED, see warning below):
      brew install --cask macfuse
      # then approve the kext under System Settings
      # -> Privacy & Security and reboot. On Apple
      # Silicon also: Recovery Mode -> Startup Security
      # Utility -> Reduced Security.
  then drag LUKSbox.app onto Applications.

IMPORTANT: this variant transitively links macFUSE's
MFMount.framework. If macFUSE is NOT installed when you
try to launch LUKSbox.app, macOS kills the process
before it can show any UI (dyld: Library not loaded
error). Install macFUSE first, then the LUKSbox.app.
Uses macFUSE's /dev/macfuse* device-node permissions
for the kernel<->FS channel, which restricts access to
the mounting UID - the better local-attacker model.

Verify which backend a given .app uses:

  /Applications/LUKSbox.app/Contents/MacOS/luksbox --version
  # luksbox X.Y.Z
  # FUSE backend: fuse-t (...)   <- FUSE-T variant
  # FUSE backend: macfuse (...)  <- macFUSE variant

macOS (Apple Silicon), portable .tar.gz: also two
variants, -fuset-portable.tar.gz and -macfuse-portable.tar.gz,
same backend split as the .dmgs. Ships the bare CLI +
GUI binaries (bin/luksbox, bin/luksbox-gui) with
their dylib closure under Frameworks/. Run in place:
./bin/luksbox --help or ./bin/luksbox-gui &. No
.app, no Gatekeeper warning, no quarantine xattr to
clear (when extracted via Terminal). See
README-MACOS.txt inside for the full layout + caveats.

First launch: the .dmg is codesigned with the
Penthertz Apple Developer ID Application certificate
(team 456J2U7HQL) and Apple-notarised, with the
notarisation ticket stapled to the bundle. macOS shows
the standard "downloaded from internet, are you sure?"
prompt that every Mac shows for any downloaded app -
click Open and you're set. Subsequent launches are
silent. No Gatekeeper override and no
xattr -dr com.apple.quarantine workaround needed.

Verify the signature and notarisation locally:

# Signature: identity + chain trust
codesign --verify --deep --strict --verbose=2 \
    /Applications/LUKSbox.app

# Notarisation: ticket present + valid
spctl --assess --type execute --verbose \
    /Applications/LUKSbox.app
# expects: "accepted, source=Notarized Developer ID"

You can additionally verify the .dmg SHA-256 against
the table at the top of these release notes for an
independent integrity check that doesn't depend on
Apple's PKI.

macOS (Intel): not shipped, build from source with
cargo build --profile release-hardened on an Intel Mac
with brew install libfido2 (the release-hardened
profile matches the hardening flags used for the shipped
Apple-Silicon binary). The CI matrix entry for
x86_64-apple-darwin is commented out in
.github/workflows/release.yml, GitHub's macos-13
runner has been intermittently blocking releases.

Windows (x86_64), recommended: download
luksbox-v0.2.2-x86_64-windows-setup.exe,
double-click. The bootstrapper installs WinFsp 2.0.23075
(if not already present) AND LUKSbox in one wizard.
Unattended deploy: LUKSboxSetup.exe /quiet. To skip
WinFsp (e.g., you manage it via Group Policy):
LUKSboxSetup.exe InstallWinFsp=0. WinFsp is bundled
under its non-GPL-app linking exception; full license
ships as LICENSE-WINFSP.txt in the install dir.

Windows (x86_64), IT-admin / bare MSI: download
luksbox-v0.2.2-x86_64-windows.msi. This
MSI does not include WinFsp; install WinFsp 2.x
separately from https://winfsp.dev/rel/ first
(LUKSbox statically links winfsp-x64.dll and the MSI
refuses to install without it). For unattended deploy
behind Group Policy / SCCM / Intune where WinFsp is
managed as a separate dependency, this is the right
artifact. Otherwise the -setup.exe above is easier.

Windows (x86_64), portable: unzip
luksbox-v0.2.2-x86_64-windows.zip
and run the .exe in place. No installation, no Start
menu entry, no PATH change. Same binaries as the MSI.
Because nothing was added to PATH, you must either
(a) run from a shell where <WinFspInstall>\bin is on
PATH, or (b) drop a copy of winfsp-x64.dll next to
luksbox.exe in the unzipped folder.

libfido2 is statically linked into the .exe; no runtime
install needed for FIDO2.

See the Verify your download section at the top for
checksum verification commands.

Full Changelog: v0.2.1...v0.2.2

Assets 19
Loading