← Back to Blog
Feature launch
Feature launch

Pad on Homebrew, signed and reproducible

The Pad Team

Pad on Homebrew, signed and reproducible

brew install PerpetualSoftware/tap/pad

That’s it. Pad is on Homebrew today.

Behind that one line, we did the boring work right: every release ships signed, with a software bill of materials, with build provenance you can verify in three commands. Here’s what each piece is and how to check it.

What’s in every release

Every Pad release on GitHub includes:

  • Eight signed binary archivesdarwin / linux / windows × amd64 / arm64. macOS builds are Apple Developer ID signed and Apple notarized, so no Gatekeeper warnings on first launch.
  • SBOMs in SPDX JSON — generated by Syft, one per archive. Lists every Go module compiled into the binary with versions and licenses. A complete bill of materials.
  • A cosign signature on checksums.txt — keyless via Sigstore Fulcio + the Rekor transparency log, using GitHub’s OIDC. No long-lived keys, every signature publicly auditable.
  • SLSA build provenance — a Sigstore-backed attestation per archive, proving the binary was built by our release workflow from a specific commit on a GitHub-hosted runner.

Pad's GitHub Releases page — every release includes the eight signed binaries, eight SPDX JSON SBOMs, and a signed checksums file. SLSA provenance is stored separately in GitHub's attestation store.

How to verify a release

Three commands. Run them once, and you know exactly what you’re installing.

# 1. Confirm checksums.txt was signed by our release workflow
cosign verify-blob 
  --certificate-identity-regexp "^https://github.com/PerpetualSoftware/pad/.github/workflows/release.yml@.*" 
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" 
  --certificate checksums.txt.pem 
  --signature checksums.txt.sig 
  checksums.txt

# 2. Confirm your downloaded archive matches the trusted checksum
shasum -a 256 -c checksums.txt --ignore-missing

# 3. (Optional) Confirm provenance — that this archive came from this repo
gh attestation verify pad_<version>_<os>_<arch>.tar.gz 
  --repo PerpetualSoftware/pad

If all three pass, the binary you just downloaded was built by our public GitHub Actions workflow, from a specific commit in the public Pad repo, and the proof of that build is in a public transparency log. No human hands touched it.

How to install Pad

  • macOS: brew install PerpetualSoftware/tap/pad — signed, notarized, no warnings
  • Linux / Windows: Tarball or ZIP from the Releases page. Verify with the commands above before running the binary.
  • Container: docker pull ghcr.io/perpetualsoftware/pad — multi-arch image, manifest signed with cosign

Homebrew on Linux is on the roadmap. For now, Linux users pull the tarball directly.

Don’t want to install anything? Pad Cloud is the managed version — sign up free and skip the binary entirely.

Why we did the boring thing

Pad sits next to your code. With the local MCP server, your AI agent shells out to pad commands directly. That trust matters.

So we don’t ship convenience-first and bolt supply-chain hygiene on later. Every artifact we produce traces back to a commit, a workflow run, and a public Sigstore log entry — from day one.

If you’ve ever installed a CLI that asked you to curl | bash, you know the alternative. We picked the harder option because it’s the right one.

Try it:

brew install PerpetualSoftware/tap/pad
pad init

Now go ship something.

Share: X LinkedIn Hacker News

More on Feature launch

Feature launch

Connect Claude Desktop to your project in 30 seconds

Pad's local MCP server is here. Install the binary, run one command, restart Claude Desktop — and your AI agent can read your plans, create tasks, run your standup. Same for Cursor and Windsurf.

Feature launch
Feature launch

Pad Cloud is here: your project, on every device, with your team

The managed version of Pad is open today. Same data model, same CLI, same /pad skill — now with sync, team invites, and zero install. Self-hosted stays first-class.