Release Channels + Verification

Enterprise release distribution pathways for thoth and thothctl, including Homebrew, notarized PKG, signatures, SBOMs, and provenance verification.

Use this guide to choose the right thoth/v* release pathway and verify release authenticity before endpoint rollout.

Current stable release

brew tap atensecurity/tap
brew install thoth

Upgrade:

brew update
brew upgrade thoth

Validate:

thoth --version
thothctl --version

thothctl is installed with thoth; there is no separate thothctl formula.

Download thoth-macos-universal.pkg from the matching v* release in atensecurity/thoth.

Install locally:

sudo installer -pkg thoth-macos-universal.pkg -target /

Validate Apple trust:

pkgutil --check-signature thoth-macos-universal.pkg
spctl --assess --type install --verbose=4 thoth-macos-universal.pkg

Post-install validation:

thoth --version
thothctl --version
thoth health --json

Download platform-specific assets from atensecurity/thoth release v<version>:

Always verify checksums before install:

sha256sum -c checksums.sha256

Each asset has:

Verify one asset (example for checksums.sha256):

cosign verify-blob \
  --bundle checksums.sha256.sigstore.json \
  checksums.sha256

Use sigstore-metadata.json from the same release to validate expected certificate identity and OIDC issuer.

Artifacts included:

Sanity check:

jq -e '.bomFormat == "CycloneDX"' sbom.cdx.json
jq -e '.spdxVersion | startswith("SPDX-")' sbom.spdx.json

Artifacts included:

Sanity check:

jq -e '.provenanceType == "release-artifact-provenance"' provenance.json
jq -e '.artifacts | length > 0' release-manifest.json

Verify attestation for a downloaded asset:

gh attestation verify checksums.sha256 --repo atensecurity/thoth

Jamf: deploy notarized PKG + managed config + setup policy.
Intune: deploy PKG/Win32 + managed config + setup script.
Kandji: deploy notarized PKG + custom script for config enforcement.
Santa: apply Team ID and designated requirement rules from santa-metadata.json.