Skip to content

v0.4.0

Latest

Choose a tag to compare

@github-actions github-actions released this 04 Jul 15:07
v0.4.0
779ce36

Verify your download

Cryptographic provenance (GitHub / Sigstore attestation)

Every artifact below is signed via GitHub Artifact
Attestations
,
which uses Sigstore under the hood. The signature proves
the artifact was produced by this exact workflow run on
this exact commit SHA, no human had a chance to swap it
after the fact.

Verify with the GitHub CLI (one-liner):

# Install gh once if you don't have it:
#   sudo apt install gh   |   sudo dnf install gh   |   brew install gh
gh attestation verify <downloaded-file> --owner penthertz
# Prints "Loaded digest ..." then "PASS" with the
# workflow run + commit SHA the artifact came from.

Offline check (no gh needed)

Every artifact also has a SHA-256 in SHA256SUMS.txt
(attached to this release):

# Linux / macOS:
sha256sum -c SHA256SUMS.txt   # Linux
shasum -a 256 -c SHA256SUMS.txt   # macOS
# Windows (PowerShell):
Get-FileHash luksbox-*.msi -Algorithm SHA256
# then compare to the `*.msi` row in SHA256SUMS.txt

Trust chain summary

Artifacts on this release page are uploaded only by the
GitHub Actions release workflow that ran on this tagged
commit (.github/workflows/release.yml in the repo).
The commit itself is GPG-signed by the maintainer, the
upload uses GitHub's OIDC release token, and the
Sigstore attestation above pins the signature to that
workflow run. GPG-signed release tarballs
(SHA256SUMS.txt.asc) and full SLSA L3 provenance are
on the roadmap.

For at-a-glance SHA-256 checking against the published
values:

File SHA-256
luksbox-0.4.0-1.aarch64.rpm c2baece4aadebe18532724d87bd5a56442c14d6b001766391b6c6f2ad2fd3300
luksbox-0.4.0-1.x86_64.rpm ffbc8ad7f42eaa4a175c0f4db8816230143a2af78742a6b9ffb41e4253a0f1ea
luksbox-v0.4.0-aarch64-linux-jammy.tar.gz 79bee2d92eded525a2dda58ec7c3a15bed404542b22fd23accc77803664a249e
luksbox-v0.4.0-aarch64-linux-noble.tar.gz 592484de1120438f59e25c562008b02e3c67528cd5b0ff334f019fd8b862f306
luksbox-v0.4.0-aarch64-linux-resolute.tar.gz 96edc14bfbc6ed68410f89191dadefb80a821e97ed96ebd4ad3834a0d11c4cf6
luksbox-v0.4.0-aarch64-linux-trixie.tar.gz 966b72c18bd5dca34e60c9b376debb84b542f15d28603bd25e247a096a5278ce
luksbox-v0.4.0-aarch64-macos-fuset-portable.tar.gz 385d1b5ae5f114fc9b5a63bafeb988c9c379cdc4b8e4eff084227b2650464e11
luksbox-v0.4.0-aarch64-macos-fuset.dmg d55901fad9593be735950fe088c145b085072763a8204d92737a6dd971b6ee70
luksbox-v0.4.0-aarch64-macos-macfuse-portable.tar.gz 9d3e7a70a6f7b270fff77b6f203cb421397b97da685f1f6b2370fcdab43ccbbd
luksbox-v0.4.0-aarch64-macos-macfuse.dmg cadc7f17cb79a2a602beae8b5b70b7f66336e2bedab81ec96e03de14a789b8c8
luksbox-v0.4.0-x86_64-linux-jammy.tar.gz c35fda379e03a17171258a3bc0559c6cf427aa13c9febee7ab69002c0aa7ca32
luksbox-v0.4.0-x86_64-linux-noble.tar.gz 72345372d74984639a1f0c79a3eeb3376c2ab280b58146b2b0402c3a30053d15
luksbox-v0.4.0-x86_64-linux-resolute.tar.gz b6b519fd585060309c8eea72d642444f094f0e32467b1596d1d4aa403fcac594
luksbox-v0.4.0-x86_64-linux-trixie.tar.gz 9d4c69e5b5723c215dd146e99a3d6f00b04164b4fc8665494888a1ce22df2744
luksbox-v0.4.0-x86_64-windows-setup.exe dbc93c98b75182860b05d6470f679ee9f8e56767d8b58b84c1aa84178a89f082
luksbox-v0.4.0-x86_64-windows.msi 4eecc45e842107ea88405ae3a5cc66049d3978410631cc3a2dd1d75f3d38cb26
luksbox-v0.4.0-x86_64-windows.zip 86a4eb2a322df338282ff86604cfe89385483d8cb43ded8e7bab4ff4dce7eaa4
luksbox_0.4.0-1_jammy_amd64.deb 97b2f098aad899ec3de63b78ae403d2ebd392f02d5418190ee4ce9f2cba4d1f9
luksbox_0.4.0-1_jammy_arm64.deb 91f55bba2b030643d03a988da0ac2863906f5ffc3fc71d079d3841cd7385ed7d
luksbox_0.4.0-1_noble_amd64.deb 28aab9ea65895d6a7f089909c4502141c4699bdd356cd2664d3f3070dd8dd9a1
luksbox_0.4.0-1_noble_arm64.deb 6584370cbb82f5e7299b0c31aea07f616f24e23e4350e6cdb60b5da608784db9
luksbox_0.4.0-1_resolute_amd64.deb d829094dc656dcebdcb3593999e6cc98207ddf7f164a0355bce90f2bf40d002c
luksbox_0.4.0-1_resolute_arm64.deb 565ab2c8a5a39a61a077ea9a6aeab4510bd86b4dfe4e6178150a179f993b109a
luksbox_0.4.0-1_trixie_amd64.deb 242e368fa2dd6be8ce833fdbcc31c033914181efa78613ef6d87a786a62d60d4
luksbox_0.4.0-1_trixie_arm64.deb a1cedbfb59d6025db4d1358f8dc114a61910446e5e856258a937186627618312

Install

Linux (Ubuntu 22.04, Debian 11/12, Mint 21.x, .deb):
download luksbox_*_jammy_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_jammy_amd64.deb.
Pulls in libfido2-1, libfuse3-3, and libtss2-*
automatically. Registers a luksbox-gui desktop
launcher and a MIME type for .lbx files.

Linux (Ubuntu 24.04 noble, .deb):
download luksbox_*_noble_amd64.deb (or _arm64) and
install with sudo apt install ./luksbox_*_noble_amd64.deb.
Same package layout as the jammy build, but with
t64-transitioned dependency names (libssl3t64,
libfido2-1t64, libtss2-mu-4.0.1-0t64, etc.). The
jammy and noble .deb files cannot be installed
interchangeably, the dependency names differ.

Linux (Debian 13 trixie / Ubuntu 26.04 resolute, .deb):
these distros bump shared-library sonames again past
noble, so they get their own builds. Download
luksbox_*_trixie_amd64.deb on Debian 13 or
luksbox_*_resolute_amd64.deb on Ubuntu 26.04 (or the
matching _arm64) and install with sudo apt install ./<file>. Each .deb's dependency names are resolved
against its own distro, so install the one matching your
release rather than the noble build.

Linux (Fedora / RHEL / Rocky / Alma, .rpm): download
luksbox-*.x86_64.rpm (or aarch64.rpm) and install
with sudo dnf install ./luksbox-*.x86_64.rpm (or
sudo rpm -i). One .rpm covers every rpm-based
distro, RPM uses SONAMEs for shared-library
dependencies which are stable across releases.
Pulls in libfido2 and fuse3-libs automatically.

Linux (x86_64, generic tarball): tar xzf luksbox-v0.4.0-x86_64-linux-jammy.tar.gz && cd luksbox-v0.4.0-x86_64-linux-jammy && ./install.sh
For Arch / NixOS / Alpine / any non-deb non-rpm distro.
The jammy variant has the broadest glibc compatibility;
if you are on a very recent distro and prefer the noble
build, swap -jammy for -noble in the filename.
Installs to ~/.local/bin and registers a desktop launcher.
Use ./install.sh --system for system-wide install, or
./install.sh --uninstall to remove. Requires
libfido2-1 (and libfuse3-3 for mount):
sudo apt install libfido2-1 libfuse3-3 (Debian/Ubuntu)
or sudo dnf install libfido2 fuse3-libs (Fedora/RHEL).

Linux (aarch64): tar xzf luksbox-v0.4.0-aarch64-linux-jammy.tar.gz && cd luksbox-v0.4.0-aarch64-linux-jammy && ./install.sh
Same runtime deps and installer as x86_64. Built natively
on a GitHub ARM64 runner, no QEMU emulation. Same
jammy/noble distinction applies as for the .deb above.

macOS (Apple Silicon): two .dmg variants, one per
FUSE backend. Pick one based on which FUSE provider you
want to install. Both .dmgs are otherwise identical
(same crypto, same on-disk format, same UI); the
difference is what luksbox mount calls under the hood
and whether you need a kernel extension.

FUSE-T variant (recommended for personal laptops):

  download: luksbox-v0.4.0-aarch64-macos-fuset.dmg
  install FUSE-T first:
      brew tap macos-fuse-t/homebrew-cask
      brew install --cask fuse-t
  then drag LUKSbox.app onto Applications.

No kernel extension, no Privacy & Security prompt, no
Apple-Silicon Reduced-Security dance. The .app launches
cleanly even if FUSE-T isn't installed yet (you just
can't use mount until you install it). Uses an NFS-
over-loopback transport with NO authentication on the
loopback port
- on a multi-user Mac, any other local
process can connect to the mount via NFSv4 and bypass
LUKSbox's permission model. Documented in
docs/MACOS_FUSE_T.md.
Fine for the common single-user-laptop case.

macFUSE variant (recommended for shared machines or
audit-required deployments):

  download: luksbox-v0.4.0-aarch64-macos-macfuse.dmg
  install macFUSE FIRST (REQUIRED, see warning below):
      brew install --cask macfuse
      # then approve the kext under System Settings
      # -> Privacy & Security and reboot. On Apple
      # Silicon also: Recovery Mode -> Startup Security
      # Utility -> Reduced Security.
  then drag LUKSbox.app onto Applications.

IMPORTANT: this variant transitively links macFUSE's
MFMount.framework. If macFUSE is NOT installed when you
try to launch LUKSbox.app, macOS kills the process
before it can show any UI
(dyld: Library not loaded
error). Install macFUSE first, then the LUKSbox.app.
Uses macFUSE's /dev/macfuse* device-node permissions
for the kernel<->FS channel, which restricts access to
the mounting UID - the better local-attacker model.

Verify which backend a given .app uses:

  /Applications/LUKSbox.app/Contents/MacOS/luksbox --version
  # luksbox X.Y.Z
  # FUSE backend: fuse-t (...)   <- FUSE-T variant
  # FUSE backend: macfuse (...)  <- macFUSE variant

macOS (Apple Silicon), portable .tar.gz: also two
variants, -fuset-portable.tar.gz and -macfuse-portable.tar.gz,
same backend split as the .dmgs. Ships the bare CLI +
GUI binaries (bin/luksbox, bin/luksbox-gui) with
their dylib closure under Frameworks/. Run in place:
./bin/luksbox --help or ./bin/luksbox-gui &. No
.app, no Gatekeeper warning, no quarantine xattr to
clear (when extracted via Terminal). See
README-MACOS.txt inside for the full layout + caveats.

First launch: the .dmg is codesigned with the
Penthertz Apple Developer ID Application certificate
(team 456J2U7HQL) and Apple-notarised
, with the
notarisation ticket stapled to the bundle. macOS shows
the standard "downloaded from internet, are you sure?"
prompt that every Mac shows for any downloaded app -
click Open and you're set. Subsequent launches are
silent. No Gatekeeper override and no
xattr -dr com.apple.quarantine workaround needed.

Verify the signature and notarisation locally:

# Signature: identity + chain trust
codesign --verify --deep --strict --verbose=2 \
    /Applications/LUKSbox.app

# Notarisation: ticket present + valid
spctl --assess --type execute --verbose \
    /Applications/LUKSbox.app
# expects: "accepted, source=Notarized Developer ID"

You can additionally verify the .dmg SHA-256 against
the table at the top of these release notes for an
independent integrity check that doesn't depend on
Apple's PKI.

macOS (Intel): not shipped, build from source with
cargo build --profile release-hardened on an Intel Mac
with brew install libfido2 (the release-hardened
profile matches the hardening flags used for the shipped
Apple-Silicon binary). The CI matrix entry for
x86_64-apple-darwin is commented out in
.github/workflows/release.yml, GitHub's macos-13
runner has been intermittently blocking releases.

Windows (x86_64), recommended: download
luksbox-v0.4.0-x86_64-windows-setup.exe,
double-click. The bootstrapper installs WinFsp 2.0.23075
(if not already present) AND LUKSbox in one wizard.
Unattended deploy: LUKSboxSetup.exe /quiet. To skip
WinFsp (e.g., you manage it via Group Policy):
LUKSboxSetup.exe InstallWinFsp=0. WinFsp is bundled
under its non-GPL-app linking exception; full license
ships as LICENSE-WINFSP.txt in the install dir.

Windows (x86_64), IT-admin / bare MSI: download
luksbox-v0.4.0-x86_64-windows.msi. This
MSI does not include WinFsp; install WinFsp 2.x
separately from https://winfsp.dev/rel/ first
(LUKSbox statically links winfsp-x64.dll and the MSI
refuses to install without it). For unattended deploy
behind Group Policy / SCCM / Intune where WinFsp is
managed as a separate dependency, this is the right
artifact. Otherwise the -setup.exe above is easier.

Windows (x86_64), portable: unzip
luksbox-v0.4.0-x86_64-windows.zip
and run the .exe in place. No installation, no Start
menu entry, no PATH change. Same binaries as the MSI.
Because nothing was added to PATH, you must either
(a) run from a shell where <WinFspInstall>\bin is on
PATH, or (b) drop a copy of winfsp-x64.dll next to
luksbox.exe in the unzipped folder.

libfido2 is statically linked into the .exe; no runtime
install needed for FIDO2.

See the Verify your download section at the top for
checksum verification commands.

What's Changed

Full Changelog: v0.3.1...v0.4.0