feat: implement GitHub artifact attestation verification

- Add `checkAttestations` to `DetailsRepository` to verify build integrity via GitHub's attestations API
- Implement SHA-256 checksum computation for downloaded assets before installation
- Introduce `AttestationStatus` to track verification states: unchecked, checking, verified, and unverified
- Update `DetailsViewModel` to trigger asynchronous attestation checks post-installation
- Enhance `SmartInstallButton` with a new `AttestationBadge` component to display verification status and progress
- Add localized strings for "Verified build" and "Checking..." statuses
- Update `DetailsState` to persist and reflect the current attestation status in the UI

Author: rainxchzed

core/presentation/src/commonMain/composeResources/values/strings.xml

@@ -207,6 +207,8 @@
     <string name="signing_key_changed_title">Signing key changed</string>
     <string name="signing_key_changed_message">The signing certificate for this app has changed since it was first installed.\n\nThis could mean the developer rotated their signing key, or the binary may have been tampered with.\n\nExpected: %1$s\nReceived: %2$s</string>
     <string name="install_anyway">Install anyway</string>
+    <string name="verified_build">Verified build</string>
+    <string name="checking_attestation">Checking\u2026</string>
     <string name="install_version">Install %1$s</string>
     <string name="failed_to_open_app">Failed to open %1$s</string>
     <string name="failed_to_uninstall">Failed to uninstall %1$s</string>

feature/details/data/src/commonMain/kotlin/zed/rainxch/details/data/dto/AttestationsResponse.kt

@@ -0,0 +1,9 @@
+package zed.rainxch.details.data.dto
+
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.JsonObject
+
+@Serializable
+data class AttestationsResponse(
+    val attestations: List<JsonObject> = emptyList(),
+)

feature/details/data/src/commonMain/kotlin/zed/rainxch/details/data/repository/DetailsRepositoryImpl.kt

@@ -20,6 +20,7 @@ import zed.rainxch.core.data.dto.ReleaseNetwork
 import zed.rainxch.core.data.dto.RepoByIdNetwork
 import zed.rainxch.core.data.dto.RepoInfoNetwork
 import zed.rainxch.core.data.dto.UserProfileNetwork
+import zed.rainxch.details.data.dto.AttestationsResponse
 import zed.rainxch.core.data.mappers.toDomain
 import zed.rainxch.core.data.network.executeRequest
 import zed.rainxch.core.data.services.LocalizationManager
@@ -489,4 +490,24 @@ class DetailsRepositoryImpl(
             throw e
         }
     }
+
+    override suspend fun checkAttestations(
+        owner: String,
+        repo: String,
+        sha256Digest: String,
+    ): Boolean =
+        try {
+            val response =
+                httpClient
+                    .executeRequest<AttestationsResponse> {
+                        get("/repos/$owner/$repo/attestations/sha256:$sha256Digest") {
+                            header(HttpHeaders.Accept, "application/vnd.github+json")
+                        }
+                    }.getOrNull()
+            response != null && response.attestations.isNotEmpty()
+        } catch (e: Exception) {
+            logger.debug("Attestation check failed for $owner/$repo: ${e.message}")
+            false
+        }
+
 }

feature/details/domain/src/commonMain/kotlin/zed/rainxch/details/domain/repository/DetailsRepository.kt

@@ -41,4 +41,10 @@ interface DetailsRepository {
     ): RepoStats
 
     suspend fun getUserProfile(username: String): GithubUserProfile
+
+    suspend fun checkAttestations(
+        owner: String,
+        repo: String,
+        sha256Digest: String,
+    ): Boolean
 }

feature/details/presentation/src/commonMain/kotlin/zed/rainxch/details/presentation/DetailsState.kt

@@ -13,6 +13,7 @@ import zed.rainxch.details.presentation.model.SigningKeyWarning
 import zed.rainxch.details.presentation.model.DownloadStage
 import zed.rainxch.details.presentation.model.InstallLogItem
 import zed.rainxch.details.presentation.model.TranslationState
+import zed.rainxch.details.presentation.model.AttestationStatus
 import zed.rainxch.details.presentation.model.TranslationTarget
 
 data class DetailsState(
@@ -64,6 +65,7 @@ data class DetailsState(
     val showExternalInstallerPrompt: Boolean = false,
     val pendingInstallFilePath: String? = null,
     val showUninstallConfirmation: Boolean = false,
+    val attestationStatus: AttestationStatus = AttestationStatus.UNCHECKED,
 ) {
     val filteredReleases: List<GithubRelease>
         get() =

feature/details/presentation/src/commonMain/kotlin/zed/rainxch/details/presentation/DetailsViewModel.kt

@@ -42,6 +42,7 @@ import zed.rainxch.core.domain.utils.ShareManager
 import zed.rainxch.details.domain.model.ReleaseCategory
 import zed.rainxch.details.domain.repository.DetailsRepository
 import zed.rainxch.details.domain.repository.TranslationRepository
+import zed.rainxch.details.presentation.model.AttestationStatus
 import zed.rainxch.details.presentation.model.DowngradeWarning
 import zed.rainxch.details.presentation.model.DownloadStage
 import zed.rainxch.details.presentation.model.InstallLogItem
@@ -61,6 +62,8 @@ import zed.rainxch.githubstore.core.presentation.res.rate_limit_exceeded
 import zed.rainxch.githubstore.core.presentation.res.removed_from_favourites
 import zed.rainxch.githubstore.core.presentation.res.translation_failed
 import java.io.File
+import java.io.FileInputStream
+import java.security.MessageDigest
 import java.util.concurrent.atomic.AtomicBoolean
 import kotlin.coroutines.cancellation.CancellationException
 import kotlin.time.Clock.System
@@ -1151,6 +1154,9 @@ class DetailsViewModel(
 
         installer.install(filePath, ext)
 
+        // Launch attestation check asynchronously (non-blocking)
+        launchAttestationCheck(filePath)
+
         if (platform == Platform.ANDROID) {
             saveInstalledAppToDatabase(
                 assetName = assetName,
@@ -1201,6 +1207,42 @@ class DetailsViewModel(
         }
     }
 
+    private fun launchAttestationCheck(filePath: String) {
+        val repo = _state.value.repository ?: return
+        val owner = repo.owner.login
+        val repoName = repo.name
+
+        _state.update { it.copy(attestationStatus = AttestationStatus.CHECKING) }
+
+        viewModelScope.launch {
+            try {
+                val digest = computeSha256(filePath)
+                val verified = detailsRepository.checkAttestations(owner, repoName, digest)
+                _state.update {
+                    it.copy(
+                        attestationStatus =
+                            if (verified) AttestationStatus.VERIFIED else AttestationStatus.UNVERIFIED,
+                    )
+                }
+            } catch (e: Exception) {
+                logger.debug("Attestation check error: ${e.message}")
+                _state.update { it.copy(attestationStatus = AttestationStatus.UNVERIFIED) }
+            }
+        }
+    }
+
+    private fun computeSha256(filePath: String): String {
+        val digest = MessageDigest.getInstance("SHA-256")
+        val buffer = ByteArray(8192)
+        FileInputStream(File(filePath)).use { fis ->
+            var bytesRead: Int
+            while (fis.read(buffer).also { bytesRead = it } != -1) {
+                digest.update(buffer, 0, bytesRead)
+            }
+        }
+        return digest.digest().joinToString("") { "%02x".format(it) }
+    }
+
     private suspend fun downloadAsset(
         assetName: String,
         sizeBytes: Long,
@@ -1226,6 +1268,7 @@ class DetailsViewModel(
                 downloadError = null,
                 installError = null,
                 downloadProgressPercent = null,
+                attestationStatus = AttestationStatus.UNCHECKED,
             )
 
         val existingPath = downloader.getDownloadedFilePath(assetName)

feature/details/presentation/src/commonMain/kotlin/zed/rainxch/details/presentation/components/SmartInstallButton.kt

@@ -1,5 +1,8 @@
 package zed.rainxch.details.presentation.components
 
+import androidx.compose.animation.AnimatedVisibility
+import androidx.compose.animation.fadeIn
+import androidx.compose.animation.fadeOut
 import androidx.compose.foundation.background
 import androidx.compose.foundation.clickable
 import androidx.compose.foundation.layout.Arrangement
@@ -8,6 +11,7 @@ import androidx.compose.foundation.layout.Column
 import androidx.compose.foundation.layout.Row
 import androidx.compose.foundation.layout.Spacer
 import androidx.compose.foundation.layout.fillMaxSize
+import androidx.compose.foundation.layout.padding
 import androidx.compose.foundation.layout.height
 import androidx.compose.foundation.layout.size
 import androidx.compose.foundation.layout.width
@@ -20,7 +24,9 @@ import androidx.compose.material.icons.filled.Close
 import androidx.compose.material.icons.filled.Delete
 import androidx.compose.material.icons.filled.KeyboardArrowDown
 import androidx.compose.material.icons.filled.Update
+import androidx.compose.material.icons.filled.VerifiedUser
 import androidx.compose.material3.CardDefaults
+import androidx.compose.material3.CircularProgressIndicator
 import androidx.compose.material3.ElevatedCard
 import androidx.compose.material3.ExperimentalMaterial3ExpressiveApi
 import androidx.compose.material3.Icon
@@ -43,13 +49,16 @@ import zed.rainxch.core.domain.model.GithubAsset
 import zed.rainxch.core.domain.model.GithubUser
 import zed.rainxch.details.presentation.DetailsAction
 import zed.rainxch.details.presentation.DetailsState
+import zed.rainxch.details.presentation.model.AttestationStatus
 import zed.rainxch.details.presentation.model.DownloadStage
 import zed.rainxch.details.presentation.utils.LocalTopbarLiquidState
 import zed.rainxch.details.presentation.utils.extractArchitectureFromName
 import zed.rainxch.details.presentation.utils.isExactArchitectureMatch
 import zed.rainxch.githubstore.core.presentation.res.Res
 import zed.rainxch.githubstore.core.presentation.res.architecture_compatible
 import zed.rainxch.githubstore.core.presentation.res.cancel_download
+import zed.rainxch.githubstore.core.presentation.res.checking_attestation
+import zed.rainxch.githubstore.core.presentation.res.verified_build
 import zed.rainxch.githubstore.core.presentation.res.downloading
 import zed.rainxch.githubstore.core.presentation.res.install_latest
 import zed.rainxch.githubstore.core.presentation.res.install_version
@@ -97,11 +106,11 @@ fun SmartInstallButton(
 
     // When same version is installed, show Open button
     if (isSameVersionInstalled && !isActiveDownload) {
-        Row(
-            modifier = modifier,
-            verticalAlignment = Alignment.CenterVertically,
-            horizontalArrangement = Arrangement.spacedBy(4.dp),
-        ) {
+        Column(modifier = modifier) {
+            Row(
+                verticalAlignment = Alignment.CenterVertically,
+                horizontalArrangement = Arrangement.spacedBy(4.dp),
+            ) {
             // Uninstall button
             ElevatedCard(
                 onClick = { onAction(DetailsAction.OnRequestUninstall) },
@@ -191,6 +200,9 @@ fun SmartInstallButton(
                     }
                 }
             }
+            }
+
+            AttestationBadge(attestationStatus = state.attestationStatus)
         }
         return
     }
@@ -535,6 +547,53 @@ fun SmartInstallButton(
     }
 }
 
+@Composable
+private fun AttestationBadge(attestationStatus: AttestationStatus) {
+    AnimatedVisibility(
+        visible = attestationStatus == AttestationStatus.VERIFIED || attestationStatus == AttestationStatus.CHECKING,
+        enter = fadeIn(),
+        exit = fadeOut(),
+    ) {
+        Row(
+            modifier = Modifier.padding(top = 8.dp),
+            verticalAlignment = Alignment.CenterVertically,
+            horizontalArrangement = Arrangement.Center,
+        ) {
+            when (attestationStatus) {
+                AttestationStatus.CHECKING -> {
+                    CircularProgressIndicator(
+                        modifier = Modifier.size(14.dp),
+                        strokeWidth = 2.dp,
+                        color = MaterialTheme.colorScheme.onSurfaceVariant,
+                    )
+                    Spacer(modifier = Modifier.width(6.dp))
+                    Text(
+                        text = stringResource(Res.string.checking_attestation),
+                        style = MaterialTheme.typography.labelSmall,
+                        color = MaterialTheme.colorScheme.onSurfaceVariant,
+                    )
+                }
+                AttestationStatus.VERIFIED -> {
+                    Icon(
+                        imageVector = Icons.Filled.VerifiedUser,
+                        contentDescription = null,
+                        modifier = Modifier.size(14.dp),
+                        tint = MaterialTheme.colorScheme.tertiary,
+                    )
+                    Spacer(modifier = Modifier.width(4.dp))
+                    Text(
+                        text = stringResource(Res.string.verified_build),
+                        style = MaterialTheme.typography.labelSmall,
+                        color = MaterialTheme.colorScheme.tertiary,
+                        fontWeight = FontWeight.SemiBold,
+                    )
+                }
+                else -> {}
+            }
+        }
+    }
+}
+
 private fun normalizeVersion(version: String): String = version.removePrefix("v").removePrefix("V").trim()
 
 private fun formatFileSize(bytes: Long): String =

feature/details/presentation/src/commonMain/kotlin/zed/rainxch/details/presentation/model/AttestationStatus.kt

@@ -0,0 +1,8 @@
+package zed.rainxch.details.presentation.model
+
+enum class AttestationStatus {
+    UNCHECKED,
+    CHECKING,
+    VERIFIED,
+    UNVERIFIED,
+}