v0.35.0

Vercel AI Gateway and secret UI stuff

This release adds support for Vercel's fancy AI Gateway as well as a boatload of improvements to the secret-not-secret UI refactor that we've cleverly hidden behind a flag. Details below.

Hello Vercel AI Gateway

If you're one of those so-called “production-grade AI” people then you might like to know that Crush now supports the Vercel AI Gateway. Just pop in your API key (pro tip: use your boss’s key), choose your fave model, mash out a prompt and LET IT RIP.

Shhhhh

We're refactoring the UI for speed and code simplicity. It's not totally finished yet but, if you dare, set CRUSH_NEW_UI=1 to try it out. Feedback welcome!

You probably already know this but…

…you rock. Thanks for all the Crush love. Your feedback for us is like ambrosia for Zeus.

Enjoy your weekend! 💖

Changelog

New!

• 88d10d1: feat(ui): add keybinding to copy chat message content to clipboard (#1947) (@aymanbagabas)
• 28e0ff3: feat: implement onboarding flow on the new ui codebase (@andreynering)
• 0d4cbf8: feat: lsp_restart (#1930) (@caarlos0)

Fixed

• 44e1ca7: fix(dialogs): prevent panic due to negative index (@andreynering)
• 1073723: fix(list): prevent panic due to negative index (@andreynering)
• 676c038: fix(ui): models: ensure select loop breaks correctly and scroll to top on filter (@aymanbagabas)
• b50d579: fix(ui): only copy chat highlight when we have highlighted content (@aymanbagabas)
• 8a37a34: fix(ui): prevent AAAA probe bleed in terminals without Kitty graphics support (#1967) (@AnyCPU)
• 505283a: fix(ui): rework cursor can appear out of place on multi-line (#1948) (@aymanbagabas)
• 1fad83b: fix: add back suspend (@kujtimiihoxha)
• 9604c92: fix: commands height (#1954) (@kujtimiihoxha)
• fb3eeb0: fix: completions width (#1956) (@kujtimiihoxha)
• 1e691e0: fix: ensure hyper is the first provider in the list (@andreynering)
• 698b7c8: fix: handle new session when focused on the list (@kujtimiihoxha)
• f002e6f: fix: lsp sort (@kujtimiihoxha)
• 4cf6af0: fix: make sure we have a fresh model/tools on each call (@kujtimiihoxha)
• 6ba301e: fix: new/update message behavior (#1958) (@kujtimiihoxha)
• 945006a: fix: permission notification (#1955) (@kujtimiihoxha)
• 1382753: fix: route mouse events to the dialog if its showing (#1953) (@kujtimiihoxha)
• 891b535: fix: tab to chat only when in chat (@kujtimiihoxha)

Docs

• da6f51e: docs: add vercel ai gateway to readme (#1951) (@jerilynzheng)

Other stuff

• 1b61cd2: chore: change the dialog sizes a bit (@kujtimiihoxha)
• e753d09: chore: do not scroll sessions if not neccessary (@kujtimiihoxha)
• 8ebe914: refactor(ui): add references tool (#1940) (@kujtimiihoxha)
• 4e66b9c: refactor(ui): enable initialize (@kujtimiihoxha)
• 5454a2e: refactor: rename uiConfigure to uiOnboarding (@andreynering)
• 49a41de: refactor: use different ansi image library (#1964) (@kujtimiihoxha)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/crush/releases/download/v0.35.0/checksums.txt'
wget 'https://github.com/charmbracelet/crush/releases/download/v0.35.0/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

nightly: chore: bump glamour to v2.0.0-20260123212943-6014aa153a9b

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/crush/releases/download//checksums.txt'
wget 'https://github.com/charmbracelet/crush/releases/download//checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.34.0

Non-interactive mode improvements + more!

How's it going? We've been busy! The main focus of this release is crush run, aka non-interactive mode, but there are some other gems here as well. For more, read on.

Now with more non-interactivity

Crush is really powerful in scripts, CI/CD, and so on, and we're seeing more and more headless Crush usage. On that note, this release adds some improvements to non-interactive mode.

You can can now specify a model with the --model flag, which allows you to specify a model and provider via a {model} or {provider}/{model} format. For example:

# Model arguments are case sensitive
crush run --model "glm-4.7"                              # Find the first available configured instance of GLM-4.7
crush run --model "openai/gpt-5.2-codex"                 # Use GPT-5.2-Codex at OpenAI
crush run --model "synthetic/hf:MiniMaxAI/MiniMax-M2.1"  # Multiple slashes are totally fine

Wondering what models are available? Check out crush models. Works great with grep, too.

Better edits and QoL

Not less important, this release include some bug fixes for the edit tool. Also, the terminal tab title will be set automatically as a small QoL improvement brough by our contributor @mhpenta.

Why are there so many commits?

You… might also have noticed there are a boatload of commits in this release. We're overhauling the UI internals to greatly reduce code complexity and improve performance. To try the new version, set CRUSH_NEW_UI=1, and let us know if you have any feedback, bearing in mind that the new UI is still a work in progress.

See ya!
Charm 💘

Changelog

New!

• 4316ef3: feat(chat): expandable thinking for assistant (@kujtimiihoxha)
• 27fa971: feat(ui): add basic dialog and new UI structure (@aymanbagabas)
• 7d99762: feat(ui): add chat and editor models with keybindings (@aymanbagabas)
• 82bc601: feat(ui): add common utils and refactor chat message items and tools (@aymanbagabas)
• 470e6f6: feat(ui): add initial sidebar component with logo (@aymanbagabas)
• afb5467: feat(ui): add mouse click handling to lazy list items (@aymanbagabas)
• b71baee: feat(ui): add optimized list component with focus navigation (@aymanbagabas)
• 9c00130: feat(ui): add text highlighting support to lazylist (@aymanbagabas)
• ca3e06a: feat(ui): chat: add navigation and keybindings (@aymanbagabas)
• a5c597b: feat(ui): copy chat highlighted content to clipboard (@aymanbagabas)
• 5d2c533: feat(ui): dialog: add file picker dialog with image preview (@aymanbagabas)
• 517a361: feat(ui): dialog: wrap navigation from last to first and vice versa (@aymanbagabas)
• 77ecb39: feat(ui): filepicker: add image attachment support with preview (@aymanbagabas)
• d4ffb55: feat(ui): filepicker: support kitty graphics in tmux (@aymanbagabas)
• 8ded0be: feat(ui): filepicker: support kitty graphics in tmux (#1884) (@aymanbagabas)
• 22040d2: feat(ui): implement tea.Layer Draw for UI model (@aymanbagabas)
• 0633988: feat(ui): initial chat ui implementation (@aymanbagabas)
• cd88520: feat(ui): initial lazy-loaded list implementation (@aymanbagabas)
• 8d7e64f: feat(ui): invalidate rendered items on focus/blur (@aymanbagabas)
• c0be798: feat(ui): list: expose filterable items source type and return values for selection methods (@aymanbagabas)
• 90491b4: feat(ui): model dialog: implement model selection handling (@aymanbagabas)
• 26145a7: feat(ui): model selection dialog (@aymanbagabas)
• f541590: feat(ui): models dialog: filter by provider and model name (@aymanbagabas)
• c280dd5: feat(ui): models dialog: improve group filtering by ignoring spaces (@aymanbagabas)
• 819c33d: feat(ui): new session selector dialog (@aymanbagabas)
• 953d181: feat(ui): optimize ScrollToBottom in lazylist (@aymanbagabas)
• 8783795: feat(ui): restructure UI package into subpackages (@aymanbagabas)
• b93a334: feat(ui): show working directory in window title (@aymanbagabas)
• d9e6736: feat(ui): simplify editor and embed into main UI model (@aymanbagabas)
• 17e6616: feat(ui): status: add status bar with info messages and help toggle (@aymanbagabas)
• 742b4d3: feat(ui): use the new UI behind a feature flag (@aymanbagabas)
• 3f7de0e: feat(ui): wip: add commands dialog to show available commands (@aymanbagabas)
• cd81f94: feat(ui): wip: basic chat message sending (@aymanbagabas)
• 030c8fc: feat: allow to send the prompt if its empty but has text attachments (#1809) (@caarlos0)
• b66db25: feat: attachments (#1797) (@caarlos0)
• 23e0b06: feat: completions menu (#1781) (@caarlos0)
• 3669423: feat: crush run --model, and crush models (#1889) (@caarlos0)
• dcd664a: feat: implement api key input dialog on new ui codebase (#1836) (@andreynering)
• f2f4454: feat: implement github copilot oauth flow in the new ui codebase (@andreynering)
• c45b152: feat: implement hyper oauth flow in the new ui codebase (@andreynering)
• f48a3ed: feat: implement text highlighting in list items (#1536) (@aymanbagabas)
• 4086e2f: feat: increase paste lines as attachment threshold (#1936) (@caarlos0)
• 7c99274: feat: open editor in the right position (#1803) (@caarlos0)
• 1e83e66: feat: paste as file (#1800) (@caarlos0)

Fixed

• 03beedc: fix(chat): do not mark tools with results as canceled (@kujtimiihoxha)
• ff9cbf6: fix(chat): only spin when there is no and no tool calls (@kujtimiihoxha)
• b6185b1: fix(chat): race condition (@kujtimiihoxha)
• d5f0987: fix(chat): reset index and paused animations (@kujtimiihoxha)
• c74a5c4: fix(dialog): commands: execute command handlers properly (@aymanbagabas)
• e38ffc3: fix(models): ensure that we show unknown providers on the list (@andreynering)
• b66676c: fix(sec): do not output resolved command (#1934) (@caarlos0)
• 098bc8a: fix(sessions): select the current session in dialog (@kujtimiihoxha)
• 6b8ca6a: fix(ui): accurately calculate help and main height in UI layout (@aymanbagabas)
• 706e359: fix(ui): adjust app and help area margins (@aymanbagabas)
• 675d851: fix(ui): adjust dialog sizing to account for dynamic title and help heights (@aymanbagabas)
• 84bbd5b: fix(ui): change UI model receiver to pointer back (@aymanbagabas)
• f0942a7: fix(ui): change pointer receivers to value receivers (@aymanbagabas)
• 6a57463: fix(ui): completions: load files asynchronously (@aymanbagabas)
• 0c8cd47: fix(ui): completions: simplify Close method (@aymanbagabas)
• 6c05739: fix(ui): completions: simplify completions popup message handling (@aymanbagabas)
• e2a586c: fix(ui): correct scrolling up behavior in lazy list (@aymanbagabas)
• 9899424: fix(ui): dialog sessions refactor and close commands dialog on select (@aymanbagabas)
• d54a5e7: fix(ui): dialog: align radio buttons with checkboxes (@aymanbagabas)
• f14253f: fix(ui): dialog: clarify session age display (@aymanbagabas)
• 67ac46a: fix(ui): dialog: no need for groupItems map in ModelsList.VisibleItems (@aymanbagabas)
• fedf059: fix(ui): dialog: saveKeyAndContinue should return Action (@aymanbagabas)
• 82eafde: fix(ui): dialog: show provider name for recent models (@aymanbagabas)
• 179e17f: fix(ui): dialog: show shortcut/info in list items (@aymanbagabas)
• fb78b80: fix(ui): dialogs: ensure returned commands are executed (@aymanbagabas)
• 876048d: fix(ui): do not allow summarizing if agent is busy (@kujtimiihoxha)
  ...

v0.33.3

Mini MCP Fix

This patch reverts a change which caused MCPs to block the first interaction until loaded. No more! MCPs are back to async.

Hope you're having a great weekend! 💘

Fixed

• c0662f1: fix: do not wait for MCP on interactive mode (@kujtimiihoxha)
• e557065: fix: don't build native clipboard for ios (@aymanbagabas)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/crush/releases/download/v0.33.3/checksums.txt'
wget 'https://github.com/charmbracelet/crush/releases/download/v0.33.3/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.33.2

Pasting images from the ol’ clipboard 🖼️

Thanks to contributor @kslamph you can now paste images from clipboard directly into Crush.

Many other fixes are included to make Crush more stable and reliable as well.

Enjoy! ✨

Changelog

New!

• feat: add clipboard image paste functionality to chat editor by @kslamph in #1151

Fixed

• fix: race in agent.go by @caarlos0 in #1853
• fix: resolve extra headers for providers by @kujtimiihoxha in #1764
• fix: make hyper and copilot link styled on ui by @andreynering in #1872
• fix: try to make the search tool more reliable by @kujtimiihoxha in #1779
• fix: mcps loading in non interactive mode by @kujtimiihoxha in #1894

Other stuff

• chore(README): update crush art by @meowgorithm in #1861
• chore: tidy agent package by @meowgorithm in #1857
• chore: fix more typos by @meowgorithm in #1863
• docs(readme): update features section by @meowgorithm in #1883
• docs(readme): pull extra comma by @meowgorithm in #1887
• chore: use posthog's default exception reporting by @andreynering in #1895

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/crush/releases/download/v0.33.2/checksums.txt'
wget 'https://github.com/charmbracelet/crush/releases/download/v0.33.2/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.32.1

For a Few Fixes More

This is tiny patch release where we fix a panic that could occur in Gemini as well as another a race condition where session titles might be generated but not applied.

We also increased security jobs, turned on the race detector, and improved builds overall in CI.

Cheers!
Charm 💘

Changelog

Fixed

• 87df08c: fix: race condition where title might not be generated (#1844) (@meowgorithm)
• 9d9cfa1: fix: update fantasy with panic fix for google gemini (#1840) (@andreynering)

Other stuff

• dd0d6cf: chore: fix some typos (@jeis4wpi)
• 3fd9d97: ci(sec): add more security jobs, improve build, enable race detector (#1849) (@caarlos0)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/crush/releases/download/v0.32.1/checksums.txt'
wget 'https://github.com/charmbracelet/crush/releases/download/v0.32.1/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.32.0

Optimizations and More

Our most ripped dev @caarlos0 ripped more than his abs in today’s release. Thanks to him, Crush now uses less memory and has faster startup and shutdown times across the board.

If you only use Crush because of local models, you might be interested in the contribution from @jonhoo who added a disable_default_providers setting to disable all default providers. Note that CRUSH_DISABLE_DEFAULT_PROVIDERS=1 has been around for a bit and will also work.

See you on the internet! 🌐

Changelog

New!

• 163abdc: feat: add disable_default_providers option (#1675) (@jonhoo)
• 617f9e2: feat: allow to send the prompt if its empty but has text attachments (#1806) (@caarlos0)
• 467418d: feat: open editor in the right position (#1804) (@caarlos0)

Fixed

• df6f514: fix(sqlite): busy timeout (#1815) (@caarlos0)
• 2350f7e: fix: make sure to unlock in goroutine (#1820) (@caarlos0)

Docs

• a4f5d72: docs(README): add FreeBSD installation instructions (@meowgorithm)

Other stuff

• 6f0f519: Fix shutdown (#1833) (@kujtimiihoxha)
• b2252f8: chore: auto-update files (@charmcli)
• a447f55: perf(config): simplify loadFromConfigPaths (#1821) (@caarlos0)
• e4400ad: perf(shell): reduce allocations in updateShellFromRunner (#1817) (@caarlos0)
• b884767: perf: fix possibly unclosed resp.body (#1818) (@caarlos0)
• 6f646c9: perf: improve startup and shutdown speed (#1829) (@caarlos0)
• d1382bb: perf: reduce memory usage (#1812) (@caarlos0)
• 0868681: perf: use strings.Builder for string concatenation in loops (#1819) (@caarlos0)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/crush/releases/download/v0.32.0/checksums.txt'
wget 'https://github.com/charmbracelet/crush/releases/download/v0.32.0/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.31.0

Fixes and ch-ch-ch-changes

How's it going? This is primarily a maintenance release.

• Skills can now be loaded from a general "agents" directory (e.g ~/.config/agents/skills)
• Claude Code support was removed to align with Anthropic’s terms of service
• Various small fixes and UX improvements

Special thanks, as always, to star contributor @Amolith for the constant improvements. See you next release 💘

Changelog

New!

• 6b3cd26: feat(skills): also load from .config/agents (#1755) (@Amolith)
• 5590161: feat: remove claude code support (#1783) (@andreynering)

Fixed

• bf39639: Revert "fix: prevent filename insertion when dragging attachments" (#1773) (@meowgorithm)
• 43b0e0b: fix(mcp): centrally filter disabled tools (#1622) (@Amolith)
• ca21111: fix(posthog): correct bool prop name for non-interactive mode (#1771) (@andreynering)
• 56f1b37: fix(posthog): normalize interactive prop case (@andreynering)
• 2bdac87: fix: mark files that are attched as read (#1777) (@kujtimiihoxha)

Other stuff

• 4cc3aeb: chore: fix typo in const name (@andreynering)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/crush/releases/download/v0.31.0/checksums.txt'
wget 'https://github.com/charmbracelet/crush/releases/download/v0.31.0/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.30.3

More Models

This release brings new models to GitHub Copilot users:

• Claude Opus 4.5
• GPT 5.2
• GPT 5.1
• GPT 5.1 Codex
• GPT 5.1 Max

Remember that you need to enable those in Copilot settings in order for them to work properly!

Also included are fixes to reduce the number of count requests on Copilot when using sub-agents (searches, etc).

Changelog

Fixed

• 5f7beb0: fix: enable responses api for github copilot (@andreynering)
• a94866c: fix: quota for subagents in copilot (@kujtimiihoxha)

Other stuff

• 58b2c5b: chore(copilot): update message: "wait a minute" -> "wait 5 minutes" (@andreynering)
• c70d34d: chore: make it so the small model also is always considered a subagent (@kujtimiihoxha)
• 65e20ea: chore: update fantasy to v0.6.0 (@andreynering)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/crush/releases/download/v0.30.3/checksums.txt'
wget 'https://github.com/charmbracelet/crush/releases/download/v0.30.3/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.30.2

Quick ’Lil Patch

This is a tiny patch release to fix a nil pointer issue in the last release, as reported by @umairimtiaz9. Thanks, Umair! 💘

Changelog

Fixed

• b618a5b: fix(sessions): nil pointer dereference (#1759) (@meowgorithm)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/crush/releases/download/v0.30.2/checksums.txt'
wget 'https://github.com/charmbracelet/crush/releases/download/v0.30.2/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.