canonical acquisition · version 1.0.0

Download exact bytes. Verify before installation.

Every file below is bound to one clean reviewed Git commit by the public release index and SHA-256 manifest. The live promotion probe downloads and re-hashes the same artifacts after deployment.

The distribution is certiv-receipts. Do not substitute pip install certiv; that bare package name identifies a different distribution.

reviewable release set

Artifacts and evidence

Full reviewed source

Archive of the entire clean Git commit, including tests, operations, web source, and release policy.

certiv-source-1.0.0.tar.gz

CLI dependency lock

Hash-locked, wheel-only runtime dependency set for the local command-line tools.

certiv-core.lock

CycloneDX SBOM

Machine-readable inventory generated from the audited CLI runtime lock.

certiv-core.cdx.json

Build receipt

Toolchain and same-host byte-for-byte rebuild evidence for the wheel and Python source distribution.

BUILD-RECEIPT.json

Also published: publication receipt, plain-text installation guide, and the machine artifact index.

minimal verified install

Install without substituting package bytes

sha256sum --check --strict SHA256SUMS python3.10 -m venv .venv .venv/bin/python -m pip install --isolated --index-url=https://pypi.org/simple --only-binary=:all: --require-hashes -r certiv-core.lock .venv/bin/python -m pip install --isolated --no-index --no-deps certiv_receipts-1.0.0-py3-none-any.whl .venv/bin/certiv --version
Proof boundary.

This mirror currently provides operator-published SHA-256 hashes over HTTPS and names the exact source commit. It does not claim an independent rebuild or protected third-party attestation. The release index records that limitation as machine-readable data.