diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml
index 30f3013..1ae641e 100644
--- a/.github/workflows/package-release.yml
+++ b/.github/workflows/package-release.yml
@@ -27,7 +27,7 @@ on:
       - 'sql/**'
 
 permissions:
-  contents: write
+  contents: read
 
 env:
   CARGO_TERM_COLOR: always
@@ -57,6 +57,19 @@ jobs:
         with:
           ref: ${{ github.event.inputs.tag || github.ref }}
 
+      # Release tooling (scripts, packaging helpers) must come from the commit
+      # that defines this workflow, not from the target tag. For
+      # workflow_dispatch, GitHub runs the workflow YAML from the default
+      # branch HEAD while the primary checkout above is pinned to an older
+      # tag, so the tag may predate these scripts. github.sha tracks the
+      # workflow's own commit for both workflow_dispatch (main HEAD) and
+      # push:tags (the tagged commit), keeping YAML and scripts in sync.
+      - name: Checkout release tooling
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.sha }}
+          path: _release_tooling
+
       - name: Set version
         run: |
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
@@ -100,8 +113,7 @@ jobs:
                 libxml2-dev \
                 libxslt1-dev \
                 libicu-dev \
-                file \
-                zip
+                file
 
               install -d -m 0755 /usr/share/keyrings
               curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc \
@@ -128,7 +140,7 @@ jobs:
                 --no-default-features \
                 --features "$FEATURES"
 
-              scripts/package-deb.sh \
+              _release_tooling/scripts/package-deb.sh \
                 "$VERSION" \
                 "$PWD/target/release/pg_durable-pg${{ matrix.pg_version }}" \
                 "${{ matrix.platform.type }}" \
@@ -148,19 +160,12 @@ jobs:
           dpkg-deb -x "$deb_file" check-package
           file "check-package/usr/lib/postgresql/${{ matrix.pg_version }}/lib/pg_durable.so" | grep -E "${{ matrix.platform.file_pattern }}"
 
-      - name: Create package archive
-        run: |
-          cd dist
-          zip "pg-durable-${VERSION}-pg${{ matrix.pg_version }}-${{ matrix.platform.type }}.zip" \
-            pg-durable-postgresql-${{ matrix.pg_version }}_*_${{ matrix.platform.type }}.deb
-
       - name: Upload package artifact
         uses: actions/upload-artifact@v4
         with:
           name: pg-durable-package-${{ github.run_id }}-pg${{ matrix.pg_version }}-${{ matrix.platform.type }}
           path: |
             dist/*.deb
-            dist/*.zip
           retention-days: 30
 
   validate-packages:
@@ -180,6 +185,15 @@ jobs:
         with:
           ref: ${{ github.event.inputs.tag || github.ref }}
 
+      # See build-packages: validation tooling must come from the workflow's
+      # own commit (github.sha), not the target tag, so a tag predating these
+      # scripts still validates correctly.
+      - name: Checkout release tooling
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.sha }}
+          path: _release_tooling
+
       - name: Download package artifact
         uses: actions/download-artifact@v4
         with:
@@ -194,7 +208,7 @@ jobs:
             -w /work \
             --user root \
             debian:bookworm \
-            bash -euxo pipefail -c 'scripts/validate-deb-package.sh "${{ matrix.pg_version }}" "${{ matrix.platform.type }}"'
+            bash -euxo pipefail -c '_release_tooling/scripts/validate-deb-package.sh "${{ matrix.pg_version }}" "${{ matrix.platform.type }}"'
 
       - name: Upload validation diagnostics on failure
         if: failure()
@@ -248,6 +262,8 @@ jobs:
     needs: [validate-packages, build-source]
     runs-on: ubuntu-latest
     if: github.event_name == 'push' || github.event.inputs.publish_release == 'true'
+    permissions:
+      contents: write
 
     steps:
       - uses: actions/checkout@v4
@@ -278,5 +294,11 @@ jobs:
               --draft
           fi
 
-          find artifacts -type f \( -name '*.zip' -o -name '*.tar.gz' -o -name '*.tar.bz2' \) -print0 \
-            | xargs -0 -I {} gh release upload "$VERSION" "{}" --clobber
\ No newline at end of file
+          mkdir -p release-assets
+          find artifacts -type f \( -name '*.deb' -o -name '*.tar.gz' -o -name '*.tar.bz2' \) \
+            -exec cp -t release-assets {} +
+
+          ( cd release-assets && sha256sum -- * > SHA256SUMS )
+
+          find release-assets -type f -print0 \
+            | xargs -0 -I {} gh release upload "$VERSION" "{}" --clobber
diff --git a/README.md b/README.md
index 24ae577..d99af01 100644
--- a/README.md
+++ b/README.md
@@ -110,7 +110,7 @@ CREATE EXTENSION pg_durable;
 
 The default pg_durable database is `postgres`; see [User Guide](USER_GUIDE.md) for background worker configuration and privilege setup.
 
-Release assets also include source archives for building from source.
+Each release also publishes source archives for building from source and a `SHA256SUMS` file for verifying downloaded assets.
 
 ## Development Installation
 
diff --git a/scripts/package-deb.sh b/scripts/package-deb.sh
index 25c7a07..629e51b 100755
--- a/scripts/package-deb.sh
+++ b/scripts/package-deb.sh
@@ -22,9 +22,6 @@ case "$ARCH" in
     amd64|x86_64)
         DEB_ARCH="amd64"
         ;;
-    arm64|aarch64)
-        DEB_ARCH="arm64"
-        ;;
     *)
         echo "unsupported architecture: $ARCH" >&2
         exit 2
diff --git a/scripts/validate-deb-package.sh b/scripts/validate-deb-package.sh
index 3a3fab8..914e52b 100755
--- a/scripts/validate-deb-package.sh
+++ b/scripts/validate-deb-package.sh
@@ -19,9 +19,6 @@ case "$ARCH" in
     amd64|x86_64)
         DEB_ARCH="amd64"
         ;;
-    arm64|aarch64)
-        DEB_ARCH="arm64"
-        ;;
     *)
         echo "unsupported architecture: $ARCH" >&2
         exit 2