Verify the extension release, not just the claim.
Every Chrome Web Store package should map to a public source tag, reproducible build instructions, a release artifact hash, and a changelog that calls out sensitive security changes.
The final v1.1.8 record is published only after the Chrome Web Store package is built, hashed, and submitted.
Example: Chrome Web Store version 1.2.4 maps to source tag v1.2.4.
Each final release publishes the exact ZIP hash for zafu-extension-vX.Y.Z.zip.
Release Record
| Field | v1.1.8 CWS Prep |
|---|---|
| Chrome Web Store version | Pending final package 1.1.8 |
| GitHub source tag | Published as v1.1.8 after the public mirror is synced from the final private-repo commit. |
| Source commit | Published in the GitHub release notes and attestation statement. |
| Build instructions | Documented extension ZIP command from extension/. The extension has no runtime npm bundle. |
| Artifact hash | sha256:<published after final ZIP is built> |
| Enumerated record | Each release attaches sbom.json (CycloneDX SBOM of the fingerprinted source) and manifest-sha256.json (per-file SHA-256 of every shipped file, icons included), plus a permission diff vs the previous tag. |
| Dependency lockfile | The extension has no runtime npm bundle, so there is no dependency lockfile to publish. The build is a ZIP of extension/. |
| Permissions used | storage, alarms, identity, and documented host permissions for explorer, threat-intelligence, Google identity, Supabase, pricing, and Tronscan TRON history import/review endpoints. The full set and a diff vs the previous tag are published in the GitHub release notes. |
| Known limitations | ZAFU does not sign transactions, custody funds, connect wallets, guarantee safety, or verify exchange-page network selections. The installed Chrome .crx is re-signed by Google and is not byte-identical to the uploaded ZIP, so verification anchors on the runtime fingerprint and the reproducible per-file manifest, not a crx↔zip hash match. |
What Changed
The v1.1.8 prep record covers stablecoin Transfer Check copy, route-aware contact review, TRON history import/review, and the new Tronscan host permission. Final release notes will list the exact shipped changes after packaging.
- Permission changes: treated as high-sensitivity release events and called out in the changelog.
- Address-handling logic: any change to parsing, normalization, poisoning detection, or trusted-contact classification must be listed.
- Remote calls: every new host or changed provider use must be disclosed with when it is called.
- Warning language: copy changes that affect user risk interpretation must be summarized.
- Risk-list behavior: source, threshold, or scoring changes must be explicit.
Public Attestation
ZAFU Chrome Web Store version X.Y.Z was built from GitHub commit <commit> using the public build process documented for tag vX.Y.Z. Artifact hash: sha256:<hash>. Published by ZAFU on <date>.
Independent Verification
Security researchers, technical users, and auditors are invited to verify that the Chrome Web Store package matches the public GitHub release. If you find a mismatch, report it to [email protected].
Future releases may add formal signed provenance using GitHub Actions, Sigstore/cosign, or another supply-chain signing method.
How to Verify
- Open the matching GitHub release — the source of truth for the version, permission set, fingerprint, and attached artifacts.
- Confirm the tag, source commit, release ZIP name, SHA-256 hash, build instructions, and release notes.
- Compare the in-extension Trust & Integrity fingerprint with the published release fingerprint.
- Rebuild from the tag and compare the attached
manifest-sha256.jsonper-file hashes; reviewsbom.json. - Inspect whether permissions, address logic, remote calls, warning language, or risk-list behavior changed.