Diff: how-to/authenticate-binary-downloads
From 1c02ec1 to 1c02ec1
+0 / −0 lines
| Before | After |
|---|---|
| --- | --- |
| schema: foundry-doc-v1 | schema: foundry-doc-v1 |
| title: "How to authenticate binary downloads" | title: "How to authenticate binary downloads" |
| slug: authenticate-binary-downloads | slug: authenticate-binary-downloads |
| category: how-to | category: how-to |
| content_type: how-to | content_type: how-to |
| type: how-to | type: how-to |
| status: stable | status: stable |
| last_edited: 2026-06-14 | last_edited: 2026-06-14 |
| editor: pointsav-engineering | editor: pointsav-engineering |
| paired_with: authenticate-binary-downloads.es.md | paired_with: authenticate-binary-downloads.es.md |
| --- | --- |
| The PointSav private distribution endpoint at `software.pointsav.com` issues Ed25519-signed binary releases. Every download is verified against the publisher's public key before the binary executes. This guide covers requesting a licence token, downloading a release, and verifying the signature. | The PointSav private distribution endpoint at `software.pointsav.com` issues Ed25519-signed binary releases. Every download is verified against the publisher's public key before the binary executes. This guide covers requesting a licence token, downloading a release, and verifying the signature. |
| For the architecture behind the distribution system, see [[private-git-paid-customer-endpoint]] and [[software-distribution-substrate]]. | For the architecture behind the distribution system, see [[private-git-paid-customer-endpoint]] and [[software-distribution-substrate]]. |
| ## Before you begin | ## Before you begin |
| You need: | You need: |
| - A verified account at `software.pointsav.com` | - A verified account at `software.pointsav.com` |
| - An active licence for the product you are downloading | - An active licence for the product you are downloading |
| - A Linux or macOS host with `curl` installed | - A Linux or macOS host with `curl` installed |
| ## Step 1: Obtain your licence token | ## Step 1: Obtain your licence token |
| Log in to `software.pointsav.com` and navigate to **Licences**. Each active | Log in to `software.pointsav.com` and navigate to **Licences**. Each active |
| licence displays an Ed25519-signed token in the format | licence displays an Ed25519-signed token in the format |
| `psv1_<product>_<ulid>.<signature>`. Copy the full token string. | `psv1_<product>_<ulid>.<signature>`. Copy the full token string. |
| The token encodes the product identifier, expiry date, and a cryptographic | The token encodes the product identifier, expiry date, and a cryptographic |
| binding to your account key. The distribution endpoint returns `401` for an | binding to your account key. The distribution endpoint returns `401` for an |
| expired token and `403` if the token does not cover the requested product. | expired token and `403` if the token does not cover the requested product. |
| ## Step 2: Download the release archive | ## Step 2: Download the release archive |
| Pass the licence token as a bearer credential in the download request: | Pass the licence token as a bearer credential in the download request: |
| ```shell | ```shell |
| curl -fsSL \ | curl -fsSL \ |
| -H "Authorization: Bearer <your-licence-token>" \ | -H "Authorization: Bearer <your-licence-token>" \ |
| "https://software.pointsav.com/releases/<product>/<version>/linux-x86_64.tar.gz" \ | "https://software.pointsav.com/releases/<product>/<version>/linux-x86_64.tar.gz" \ |
| -o release.tar.gz | -o release.tar.gz |
| ``` | ``` |
| Replace `<product>` and `<version>` with the values shown on the **Releases** | Replace `<product>` and `<version>` with the values shown on the **Releases** |
| page for your licence. Available platforms appear alongside each release. | page for your licence. Available platforms appear alongside each release. |
| ## Step 3: Fetch the detached signature | ## Step 3: Fetch the detached signature |
| Each release archive has an accompanying `.sig` file signed with the | Each release archive has an accompanying `.sig` file signed with the |
| publisher's Ed25519 private key: | publisher's Ed25519 private key: |
| ```shell | ```shell |
| curl -fsSL \ | curl -fsSL \ |
| -H "Authorization: Bearer <your-licence-token>" \ | -H "Authorization: Bearer <your-licence-token>" \ |
| "https://software.pointsav.com/releases/<product>/<version>/linux-x86_64.tar.gz.sig" \ | "https://software.pointsav.com/releases/<product>/<version>/linux-x86_64.tar.gz.sig" \ |
| -o release.tar.gz.sig | -o release.tar.gz.sig |
| ``` | ``` |
| ## Step 4: Import the publisher's public key | ## Step 4: Import the publisher's public key |
| The signing key is pinned at a well-known path on the distribution endpoint: | The signing key is pinned at a well-known path on the distribution endpoint: |
| ```shell | ```shell |
| curl -fsSL \ | curl -fsSL \ |
| "https://software.pointsav.com/.well-known/pointsav-signing-key.pub" \ | "https://software.pointsav.com/.well-known/pointsav-signing-key.pub" \ |
| -o pointsav-signing-key.pub | -o pointsav-signing-key.pub |
| ``` | ``` |
| Confirm the key fingerprint matches the value listed in the release notes | Confirm the key fingerprint matches the value listed in the release notes |
| for the version you are downloading before proceeding to verification. | for the version you are downloading before proceeding to verification. |
| ## Step 5: Verify the Ed25519 signature | ## Step 5: Verify the Ed25519 signature |
| Create an allowed-signers file and run `ssh-keygen -Y verify`: | Create an allowed-signers file and run `ssh-keygen -Y verify`: |
| ```shell | ```shell |
| echo "releases@pointsav.com $(cat pointsav-signing-key.pub)" > allowed_signers | echo "releases@pointsav.com $(cat pointsav-signing-key.pub)" > allowed_signers |
| ssh-keygen -Y verify \ | ssh-keygen -Y verify \ |
| -f allowed_signers \ | -f allowed_signers \ |
| -I releases@pointsav.com \ | -I releases@pointsav.com \ |
| -n release \ | -n release \ |
| -s release.tar.gz.sig \ | -s release.tar.gz.sig \ |
| < release.tar.gz | < release.tar.gz |
| ``` | ``` |
| A successful verification prints: | A successful verification prints: |
| `Good "release" signature for releases@pointsav.com` | `Good "release" signature for releases@pointsav.com` |
| If the command prints `Signature verification failed`, the archive has been | If the command prints `Signature verification failed`, the archive has been |
| modified in transit or the signature file does not match the archive. Do not | modified in transit or the signature file does not match the archive. Do not |
| proceed — re-download both files and verify again before use. | proceed — re-download both files and verify again before use. |
| ## Step 6: Extract and run the binary | ## Step 6: Extract and run the binary |
| ```shell | ```shell |
| tar -xzf release.tar.gz | tar -xzf release.tar.gz |
| chmod +x <product> | chmod +x <product> |
| ./<product> --version | ./<product> --version |
| ``` | ``` |
| The binary validates its licence token at startup. If the token has expired | The binary validates its licence token at startup. If the token has expired |
| since the download, the process exits with a message indicating the specific | since the download, the process exits with a message indicating the specific |
| expiry date. Renew the token at `software.pointsav.com` and restart. | expiry date. Renew the token at `software.pointsav.com` and restart. |
| ## See also | ## See also |
| - [[private-git-paid-customer-endpoint]] — the paid customer endpoint architecture | - [[private-git-paid-customer-endpoint]] — the paid customer endpoint architecture |
| - [[software-distribution-substrate]] — the software distribution substrate | - [[software-distribution-substrate]] — the software distribution substrate |
| - [[machine-based-auth]] — how access to the distribution endpoint is authorized | - [[machine-based-auth]] — how access to the distribution endpoint is authorized |