Releases
Every Barista release ships signed, reproducible, and provenance-backed. Each artifact carries a keyless Sigstore (cosign) signature, SLSA build provenance, and CycloneDX SBOMs. A release appears here only after those artifacts verify.
Barista is an early alpha: it has been exercised on a limited set of projects and is not yet recommended for production. See the full release list on GitHub.
v0.1.0-alpha.1alpha
2026-05-22 · release notesBundles Apache Maven 4.0.0-rc-3 · built with rustc 1.88.0 · commit f136e31b63fc
Downloads
| Platform | Archive | Size | SHA-256 |
|---|---|---|---|
| Linux · x86-64 | barista-0.1.0-alpha.1-x86_64-unknown-linux-gnu.tar.gz cosign bundle | 32.9 MB | 5b12c72155a8ad91de8d2746263a87a61323423cbbe2a159e6143409167786d1 |
| Linux · ARM64 | barista-0.1.0-alpha.1-aarch64-unknown-linux-gnu.tar.gz cosign bundle | 32.5 MB | 92242c668353ce33ecb9c78bf3986450794ba4014b43ded0941b7efed55c7a48 |
| macOS · Apple Silicon | barista-0.1.0-alpha.1-aarch64-apple-darwin.tar.gz cosign bundle | 32.5 MB | a564f14c41d0a1c81a110a22c613a74a1a9b57ce1eeb5ef6b0097cba5da303de |
| macOS · Intel | barista-0.1.0-alpha.1-x86_64-apple-darwin.tar.gz cosign bundle | 32.9 MB | c1ecb054aa7bd3e915464d02050e714dea7ecf07758604988dcb537c0b1b33f5 |
| Windows · x86-64 | barista-0.1.0-alpha.1-x86_64-pc-windows-msvc.zip cosign bundle | 32.8 MB | 900e111bf3b5863411a375441a07a07025c0e20960cbc8fc07ab57add4216f6c |
SBOMs
Software bills of materials in CycloneDX JSON — a combined product SBOM plus per-ecosystem breakdowns. Each is cosign signed (download the matching .cosign.bundle).
| SBOM | Format | Size | Signature |
|---|---|---|---|
| Combined (product) | CycloneDX | 583 KB | cosign bundle |
| Rust crates | CycloneDX | 382 KB | cosign bundle |
| Java (barback) | CycloneDX | 206 KB | cosign bundle |
Provenance
SLSA L3 build provenance for every artifact: multiple.intoto.jsonl. Aggregate build manifest (hashes + bundled versions): barista-0.1.0-alpha.1-build-manifest.json.
Verify
Confirm the signature and provenance of any artifact (example: the Linux x86-64 archive):
# Sigstore cosign — keyless signature
cosign verify-blob \
--bundle barista-0.1.0-alpha.1-x86_64-unknown-linux-gnu.tar.gz.cosign.bundle \
--certificate-identity-regexp '^https://github.com/buildwithbarista/barista' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
barista-0.1.0-alpha.1-x86_64-unknown-linux-gnu.tar.gz
# SLSA build provenance
slsa-verifier verify-artifact \
barista-0.1.0-alpha.1-x86_64-unknown-linux-gnu.tar.gz \
--provenance-path multiple.intoto.jsonl \
--source-uri github.com/buildwithbarista/barista