APTlantis Release Hashing Standard (ARHS)
A standard for ensuring the long-term integrity, verification, and cryptographic diversity of APTlantis release artifacts. ARHS defines the required cryptographic hash algorithms that must accompany every release artifact.
ARHS conforms to SFDS at the standard-suite governance layer. SFDS describes how this documentation suite is indexed, validated, and normalized; ARHS remains authoritative for cryptographic hashing rules for APTlantis release artifacts.
ARHS is the minimum release-artifact hash rule. AAMHS is the richer archive preservation integrity standard — see its preserved reference copy of this same source document for the archival-side framing.
:::info Status Candidate v0.2.1. :::
What This Standard Covers
| Area | Summary |
|---|---|
| Algorithms | Required hash algorithms (SHA256, BLAKE3, KangarooTwelve) |
| Cryptographic Diversity | Avoiding dependence on a single algorithm family |
| Verification | Manual and automated verification of released artifacts |
Document Suite
ARHS follows the SFDS two-layer model:
ARHS.manifest.tomldescribes the ARHS standard suite.
Core
| File | Purpose |
|---|---|
APTlantis Release Hashing Standard.md | The full hashing standard. Read this first. |
ARHS.manifest.toml | Machine-readable standard manifest. |
Adoption-Guide.md | How an APTlantis project adopts ARHS. |
Validation-Checklist.md | Manual validation checklist. |
CHANGELOG.md | Version history for ARHS. |
Examples
| File | Purpose |
|---|---|
examples/sample-hashes.txt | Example of a text file containing the required hashes for a release artifact. |
examples/Example-Release-Hash-Record.md | A filled-in release hash record. |
Quick Start
For Projects Adopting ARHS
- Review the Specification and Adoption Guide.
- Update your CI/CD pipeline or build scripts to generate SHA256, BLAKE3, and KangarooTwelve hashes for all final release artifacts.
- Publish these hashes alongside your release artifacts (e.g., in a
hashes.txtfile). - Run through the Validation Checklist to ensure compliance.
Core Principles
Verification is Long-Term. Software releases are artifacts worthy of preservation. Verification information should remain useful and trustworthy for years or decades after publication.
Algorithmic Independence. Relying on a single cryptographic family creates a single point of failure. ARHS enforces diversity by requiring algorithms from different lineages (SHA-2, BLAKE, Keccak).
Baseline Compatibility + Modern Performance. SHA256 ensures universal compatibility, while BLAKE3 and KangarooTwelve provide high-performance verification for large files with post-quantum security margins.
Scope
Every APTlantis release artifact SHALL be accompanied by multiple cryptographic hashes. The purpose of these hashes is to provide integrity verification, long-term archival confidence, and independence from any single cryptographic algorithm or vendor ecosystem.
The APTlantis project views software releases as artifacts worthy of preservation. Verification information should remain useful and trustworthy for years or decades after publication.
Required Hash Algorithms
All release artifacts MUST include the following hashes:
- SHA256
- BLAKE3
- KangarooTwelve (K12)
Relationship to DRS, CTS, WDS, DDS, and AAMHS
ARHS governs release artifact hash requirements.
DRS, CTS, WDS, and DDS govern release readiness for their project classes. AAMHS governs long-term archive integrity records and richer preservation hash manifests.
When a release artifact is published, ARHS defines the minimum hash set that must accompany it. When an archive is preserved for long-term integrity validation, AAMHS may add additional manifest, signature, and preservation requirements.
Rationale
SHA256: Universal Compatibility
SHA256 remains the most widely recognized and supported cryptographic hash algorithm in software distribution.
Benefits include:
- Native support across Windows, Linux, and macOS
- Compatibility with security scanners and CI/CD systems
- Broad recognition by users and organizations
- Long-established industry adoption
SHA256 serves as the baseline verification method that virtually every user can validate without installing additional tooling.
BLAKE3: High-Performance Modern Hashing
BLAKE3 represents the current state of the art in practical hashing performance.
Benefits include:
- Extremely high throughput
- Parallel processing support
- Excellent performance on modern CPUs
- Strong cryptographic design
- Growing ecosystem adoption
BLAKE3 is particularly valuable when verifying large artifacts such as ISO images, archives, datasets, virtual machine images, and software collections.
KangarooTwelve: Independent Cryptographic Lineage
KangarooTwelve is a high-performance derivative of the Keccak family, the basis of SHA-3.
Benefits include:
- Distinct design lineage from SHA-2 and BLAKE families
- Excellent performance characteristics
- Strong security margins
- Modern sponge-based construction
- Long-term cryptographic diversity
KangarooTwelve provides algorithmic independence, reducing reliance on any single family of cryptographic designs.
Defense Through Diversity
The selected algorithms intentionally originate from different cryptographic families:
| Algorithm | Family |
|---|---|
| SHA256 | SHA-2 |
| BLAKE3 | BLAKE |
| KangarooTwelve | Keccak / SHA-3 |
This approach improves long-term resilience by avoiding dependence on a single algorithm family.
The goal is not merely redundancy, but cryptographic diversity.
Post-Quantum Considerations
Current research indicates that cryptographic hash functions remain significantly more resistant to quantum attacks than traditional public-key cryptography.
The selected algorithms provide strong security margins while maintaining practical performance. APTlantis considers SHA256, BLAKE3, and KangarooTwelve an appropriate balance between compatibility, performance, and future resilience.
Future Direction
APTlantis may supplement release hashes with cryptographic signatures, including post-quantum signature schemes, as tooling and ecosystem support mature.
Hashes verify that a file has not changed.
Signatures verify who published it.
Both play an important role in long-term software preservation and provenance.
Hash Record Requirements
Every release hash record must include:
- Artifact filename.
- Artifact size in bytes when known.
- SHA256 hash.
- BLAKE3 hash.
- KangarooTwelve hash.
- Hash generation date.
- Tool names or commands used when practical.
- Maintainer or release operator.
The hash record must name the exact artifact file the hashes cover. Do not publish loose hashes without filenames.
Verification Rules
Verification must confirm:
- All required algorithms are present.
- Hashes are formatted consistently.
- The artifact file exists.
- Each recorded hash matches the artifact bytes.
- The release note, manifest, or publication record points to the same artifact name.
If any hash mismatches, the release artifact is not verified.
Release Blockers
An APTlantis release artifact is blocked when:
- SHA256 is missing.
- BLAKE3 is missing.
- KangarooTwelve is missing.
- A recorded hash does not match the artifact.
- The hash record does not identify the exact artifact filename.
- The release document and hash record disagree about artifact name or version.
- Hashes were computed before final packaging.
Required Artifacts
- Specification (
APTlantis Release Hashing Standard.md). ARHS.manifest.tomlfor the standard suite.- Adoption guide (
Adoption-Guide.md). - Validation checklist (
Validation-Checklist.md). - Changelog (
CHANGELOG.md).
Validation
Conformance is checked by verifying that any released artifact provides valid SHA256, BLAKE3, and KangarooTwelve hashes, and that these hashes match the artifact.