Use these checks before running an installer. Windows release installers are Authenticode signed starting with v1.9.0, and SHA-256 checksums plus GitHub Artifact Attestations remain recommended verification steps for manual downloads.
Check the source
Official downloads are available only from hardviz.com, GitHub Releases, and Winget where available.
Check that the file has not been changed
For a stricter check, copy the SHA-256 value from the download page, then run the matching checksum command from the latest release verification commands. The command output should match the copied value exactly. For details, see Installer verification in the GitHub documentation.
Verify GitHub Artifact Attestations
For releases that publish attestations, use GitHub CLI to verify that the asset was produced by the official repository. The latest release commands are listed below.
gh attestation verify ./HardwareVisualizer_* -R shm11C3/HardwareVisualizer
Review signing status
Windows .exe and .msi release installers are Authenticode signed starting with v1.9.0. Earlier Windows releases may be unsigned.
macOS builds are signed and notarized. Linux packages are not currently signed with a Linux package-signing mechanism, so verify them with checksums and attestations.
Release assets ending in .sig are Tauri updater signatures for the in-app update path; they do not replace platform signing, SHA-256 checksums, or GitHub Artifact Attestations for manual downloads.