Vupt Docs
Security

Verify installer signatures

Verify Apple Notarization, Windows Authenticode, and Linux GPG signatures on Vupt installers before running.

Verify installer signatures

Every Vupt installer ships signed. Before you run it, verify the signature with the platform-native tools. This proves the binary came from Vupt and wasn't modified in transit.

macOS — Apple Notarization

After downloading Vupt-{version}-arm64.dmg or Vupt-{version}-x64.dmg:

# Mount the DMG and locate Vupt.app
hdiutil attach Vupt-{version}-arm64.dmg
cd /Volumes/Vupt

# Check the codesign chain (Apple Developer ID)
codesign --verify --verbose=2 Vupt.app

# Confirm Apple Notarization staple (offline-verifiable)
spctl --assess --type execute --verbose Vupt.app
# Expected: "Vupt.app: accepted (source=Notarized Developer ID)"

# Inspect the signing certificate Team ID
codesign -dvvv Vupt.app 2>&1 | grep "Authority="
# Expected: Vupt's Apple Developer Team ID

If spctl reports anything other than accepted, do not run the binary. Re-download or contact [email protected].

Windows — Authenticode

After downloading Vupt-{version}-windows-x64.msi:

# PowerShell
Get-AuthenticodeSignature .\Vupt-{version}-windows-x64.msi |
  Format-List Status, SignerCertificate, SignatureType, TimeStamperCertificate

# Expected:
#   Status: Valid
#   SignerCertificate Subject: CN=Vupt, ...
#   SignatureType: Authenticode
#   TimeStamperCertificate Subject: <RFC 3161 timestamp authority>

Alternatively with signtool.exe (Windows SDK):

signtool verify /pa /v Vupt-{version}-windows-x64.msi

A Status: Valid result with the Vupt subject confirms the binary is authentic.

Linux — GPG signature on AppImage

After downloading Vupt-{version}.AppImage and the matching .sig file:

# Import Vupt's release public key (one-time)
curl -fsSL https://vupt.dev/keys/release-pubkey.asc | gpg --import

# Verify
gpg --verify Vupt-{version}.AppImage.sig Vupt-{version}.AppImage

# Expected: "Good signature from <Vupt Releases <[email protected]>>"

What to do if verification fails

  1. Re-download the installer + signature from the official source (releases.vupt.dev).
  2. Verify the SHA-256 checksum against the published one on vupt.dev/changelog.
  3. If still failing, email [email protected] with the file, your platform, and the verification output. Do not run the binary.

Why this matters

A malicious distributor could repackage Vupt with backdoor code and serve it from a CDN cache, mirror, or compromised download. Signature verification gives you a cryptographic guarantee that the binary you have is the exact one Vupt published — with no modifications in transit, no chain-of-trust gaps, no supply-chain compromise upstream of the signing keys.

For the audit layer that verifies the cost-attribution chain inside Vupt at runtime, see verify-cost-chain.sh.

Edit on GitHub

Troubleshooting

Common install failures, sandbox connection issues, and BYOK key paste errors — with explicit fixes.

Air-gapped mode

Run Vupt with no outbound internet. Ollama for local models, allowlist proxy, and offline license verification.

Vupt — Run parallel AI coding agents