Release verification

Verify the extension release, not just the claim.

Every Chrome Web Store package should map to a public source tag, reproducible build instructions, a release artifact hash, and a changelog that calls out sensitive security changes.

Current CWS versionv1.1.7 live; v1.1.8 in preparation

The final v1.1.8 record is published only after the Chrome Web Store package is built, hashed, and submitted.

Source tagGitHub tag per CWS version

Example: Chrome Web Store version 1.2.4 maps to source tag v1.2.4.

Artifact hashSHA-256 per release

Each final release publishes the exact ZIP hash for zafu-extension-vX.Y.Z.zip.

Release Record

Field v1.1.8 CWS Prep
Chrome Web Store versionPending final package 1.1.8
GitHub source tagPublished as v1.1.8 after the public mirror is synced from the final private-repo commit.
Source commitPublished in the GitHub release notes and attestation statement.
Build instructionsDocumented extension ZIP command from extension/. The extension has no runtime npm bundle.
Artifact hashsha256:<published after final ZIP is built>
Enumerated recordEach release attaches sbom.json (CycloneDX SBOM of the fingerprinted source) and manifest-sha256.json (per-file SHA-256 of every shipped file, icons included), plus a permission diff vs the previous tag.
Dependency lockfileThe extension has no runtime npm bundle, so there is no dependency lockfile to publish. The build is a ZIP of extension/.
Permissions usedstorage, alarms, identity, and documented host permissions for explorer, threat-intelligence, Google identity, Supabase, pricing, and Tronscan TRON history import/review endpoints. The full set and a diff vs the previous tag are published in the GitHub release notes.
Known limitationsZAFU does not sign transactions, custody funds, connect wallets, guarantee safety, or verify exchange-page network selections. The installed Chrome .crx is re-signed by Google and is not byte-identical to the uploaded ZIP, so verification anchors on the runtime fingerprint and the reproducible per-file manifest, not a crx↔zip hash match.

What Changed

The v1.1.8 prep record covers stablecoin Transfer Check copy, route-aware contact review, TRON history import/review, and the new Tronscan host permission. Final release notes will list the exact shipped changes after packaging.

Public Attestation

ZAFU Chrome Web Store version X.Y.Z was built from GitHub commit <commit> using the public build process documented for tag vX.Y.Z. Artifact hash: sha256:<hash>. Published by ZAFU on <date>.

Independent Verification

Security researchers, technical users, and auditors are invited to verify that the Chrome Web Store package matches the public GitHub release. If you find a mismatch, report it to [email protected].

Future releases may add formal signed provenance using GitHub Actions, Sigstore/cosign, or another supply-chain signing method.

How to Verify