Skip to main content

APTlantis Release Hashing Standard (ARHS)

A standard for ensuring the long-term integrity, verification, and cryptographic diversity of APTlantis release artifacts. ARHS defines the required cryptographic hash algorithms that must accompany every release artifact.

ARHS conforms to SFDS at the standard-suite governance layer. SFDS describes how this documentation suite is indexed, validated, and normalized; ARHS remains authoritative for cryptographic hashing rules for APTlantis release artifacts.

ARHS is the minimum release-artifact hash rule. AAMHS is the richer archive preservation integrity standard — see its preserved reference copy of this same source document for the archival-side framing.

:::info Status Candidate v0.2.1. :::

What This Standard Covers

AreaSummary
AlgorithmsRequired hash algorithms (SHA256, BLAKE3, KangarooTwelve)
Cryptographic DiversityAvoiding dependence on a single algorithm family
VerificationManual and automated verification of released artifacts

Document Suite

ARHS follows the SFDS two-layer model:

  • ARHS.manifest.toml describes the ARHS standard suite.

Core

FilePurpose
APTlantis Release Hashing Standard.mdThe full hashing standard. Read this first.
ARHS.manifest.tomlMachine-readable standard manifest.
Adoption-Guide.mdHow an APTlantis project adopts ARHS.
Validation-Checklist.mdManual validation checklist.
CHANGELOG.mdVersion history for ARHS.

Examples

FilePurpose
examples/sample-hashes.txtExample of a text file containing the required hashes for a release artifact.
examples/Example-Release-Hash-Record.mdA filled-in release hash record.

Quick Start

For Projects Adopting ARHS

  1. Review the Specification and Adoption Guide.
  2. Update your CI/CD pipeline or build scripts to generate SHA256, BLAKE3, and KangarooTwelve hashes for all final release artifacts.
  3. Publish these hashes alongside your release artifacts (e.g., in a hashes.txt file).
  4. Run through the Validation Checklist to ensure compliance.

Core Principles

Verification is Long-Term. Software releases are artifacts worthy of preservation. Verification information should remain useful and trustworthy for years or decades after publication.

Algorithmic Independence. Relying on a single cryptographic family creates a single point of failure. ARHS enforces diversity by requiring algorithms from different lineages (SHA-2, BLAKE, Keccak).

Baseline Compatibility + Modern Performance. SHA256 ensures universal compatibility, while BLAKE3 and KangarooTwelve provide high-performance verification for large files with post-quantum security margins.


Scope

Every APTlantis release artifact SHALL be accompanied by multiple cryptographic hashes. The purpose of these hashes is to provide integrity verification, long-term archival confidence, and independence from any single cryptographic algorithm or vendor ecosystem.

The APTlantis project views software releases as artifacts worthy of preservation. Verification information should remain useful and trustworthy for years or decades after publication.

Required Hash Algorithms

All release artifacts MUST include the following hashes:

  • SHA256
  • BLAKE3
  • KangarooTwelve (K12)

Relationship to DRS, CTS, WDS, DDS, and AAMHS

ARHS governs release artifact hash requirements.

DRS, CTS, WDS, and DDS govern release readiness for their project classes. AAMHS governs long-term archive integrity records and richer preservation hash manifests.

When a release artifact is published, ARHS defines the minimum hash set that must accompany it. When an archive is preserved for long-term integrity validation, AAMHS may add additional manifest, signature, and preservation requirements.

Rationale

SHA256: Universal Compatibility

SHA256 remains the most widely recognized and supported cryptographic hash algorithm in software distribution.

Benefits include:

  • Native support across Windows, Linux, and macOS
  • Compatibility with security scanners and CI/CD systems
  • Broad recognition by users and organizations
  • Long-established industry adoption

SHA256 serves as the baseline verification method that virtually every user can validate without installing additional tooling.

BLAKE3: High-Performance Modern Hashing

BLAKE3 represents the current state of the art in practical hashing performance.

Benefits include:

  • Extremely high throughput
  • Parallel processing support
  • Excellent performance on modern CPUs
  • Strong cryptographic design
  • Growing ecosystem adoption

BLAKE3 is particularly valuable when verifying large artifacts such as ISO images, archives, datasets, virtual machine images, and software collections.

KangarooTwelve: Independent Cryptographic Lineage

KangarooTwelve is a high-performance derivative of the Keccak family, the basis of SHA-3.

Benefits include:

  • Distinct design lineage from SHA-2 and BLAKE families
  • Excellent performance characteristics
  • Strong security margins
  • Modern sponge-based construction
  • Long-term cryptographic diversity

KangarooTwelve provides algorithmic independence, reducing reliance on any single family of cryptographic designs.

Defense Through Diversity

The selected algorithms intentionally originate from different cryptographic families:

AlgorithmFamily
SHA256SHA-2
BLAKE3BLAKE
KangarooTwelveKeccak / SHA-3

This approach improves long-term resilience by avoiding dependence on a single algorithm family.

The goal is not merely redundancy, but cryptographic diversity.

Post-Quantum Considerations

Current research indicates that cryptographic hash functions remain significantly more resistant to quantum attacks than traditional public-key cryptography.

The selected algorithms provide strong security margins while maintaining practical performance. APTlantis considers SHA256, BLAKE3, and KangarooTwelve an appropriate balance between compatibility, performance, and future resilience.

Future Direction

APTlantis may supplement release hashes with cryptographic signatures, including post-quantum signature schemes, as tooling and ecosystem support mature.

Hashes verify that a file has not changed.

Signatures verify who published it.

Both play an important role in long-term software preservation and provenance.

Hash Record Requirements

Every release hash record must include:

  • Artifact filename.
  • Artifact size in bytes when known.
  • SHA256 hash.
  • BLAKE3 hash.
  • KangarooTwelve hash.
  • Hash generation date.
  • Tool names or commands used when practical.
  • Maintainer or release operator.

The hash record must name the exact artifact file the hashes cover. Do not publish loose hashes without filenames.

Verification Rules

Verification must confirm:

  • All required algorithms are present.
  • Hashes are formatted consistently.
  • The artifact file exists.
  • Each recorded hash matches the artifact bytes.
  • The release note, manifest, or publication record points to the same artifact name.

If any hash mismatches, the release artifact is not verified.

Release Blockers

An APTlantis release artifact is blocked when:

  • SHA256 is missing.
  • BLAKE3 is missing.
  • KangarooTwelve is missing.
  • A recorded hash does not match the artifact.
  • The hash record does not identify the exact artifact filename.
  • The release document and hash record disagree about artifact name or version.
  • Hashes were computed before final packaging.

Required Artifacts

  • Specification (APTlantis Release Hashing Standard.md).
  • ARHS.manifest.toml for the standard suite.
  • Adoption guide (Adoption-Guide.md).
  • Validation checklist (Validation-Checklist.md).
  • Changelog (CHANGELOG.md).

Validation

Conformance is checked by verifying that any released artifact provides valid SHA256, BLAKE3, and KangarooTwelve hashes, and that these hashes match the artifact.