Release Verification
This page defines how ATAMO releases are cryptographically verified. Release authenticity is established through signed Git tags, PGP signatures, signed SHA256 checksum manifests, official deployment records, and verified Ethereum Mainnet contracts.
Verification trust model
ATAMO releases are authenticated using a public PGP key controlled by the ATAMO release signing authority.
A valid Git tag signature confirms that the repository release state was signed by the ATAMO release authority.
A valid checksum-manifest signature confirms that the listed release artifact hashes were signed by the ATAMO release authority.
Valid SHA256 checksums confirm that release files have not been modified after the signed checksum manifest was created.
Verification rule
A release should be considered valid only if:
- the signed Git tag verifies successfully
- the PGP signature on SHA256SUMS is valid
- the signing key fingerprint matches the official fingerprint
- release artifact checksums match SHA256SUMS
- contract addresses match the official deployment records
- proxy and implementation relationships match the deployment documentation
- verified blockchain records match the published release artifacts
1. Public signing key
Official ATAMO releases and release-integrity artifacts are signed using the ATAMO release PGP key.
Public key file:
ATAMO_RELEASE_PGP_PUBLIC_KEY.asc
PGP fingerprint:
7FF68D4A2A54F8CC8641E880A4C7575F79C4E1AC
PGP fingerprint spaced format:
7FF6 8D4A 2A54 F8CC 8641 E880 A4C7 575F 79C4 E1AC
Signing identity:
ATAMO Security <[email protected]>
Official repository:
2. Verification process
curl -LO https://raw.githubusercontent.com/atamo-atms/atamo-project/main/releases/v1.0.0/ATAMO_RELEASE_PGP_PUBLIC_KEY.asc
gpg --import ATAMO_RELEASE_PGP_PUBLIC_KEY.asc
gpg --fingerprint [email protected]
Confirm the fingerprint matches the official fingerprint shown above.
git clone https://github.com/atamo-atms/atamo-project.git
cd atamo-project
git fetch --tags
git tag -v v1.0.0
The signature must be valid and must match the official ATAMO PGP fingerprint.
curl -LO https://raw.githubusercontent.com/atamo-atms/atamo-project/main/releases/v1.0.0/SHA256SUMS
curl -LO https://raw.githubusercontent.com/atamo-atms/atamo-project/main/releases/v1.0.0/SHA256SUMS.asc
curl -LO https://raw.githubusercontent.com/atamo-atms/atamo-project/main/releases/v1.0.0/deployment-manifest.mainnet.json
curl -LO https://raw.githubusercontent.com/atamo-atms/atamo-project/main/releases/v1.0.0/deployment-records-full.mainnet.json
curl -LO https://raw.githubusercontent.com/atamo-atms/atamo-project/main/releases/v1.0.0/ATAMO_DEPLOYMENT_STATEMENT_mainnet_2026-05-16.txt
gpg --verify SHA256SUMS.asc SHA256SUMS
The signature must be valid and must match the official ATAMO PGP fingerprint.
sha256sum -c SHA256SUMS
Expected result:
deployment-manifest.mainnet.json: OK
deployment-records-full.mainnet.json: OK
ATAMO_DEPLOYMENT_STATEMENT_mainnet_2026-05-16.txt: OK
3. Official release artifacts
The official ATAMO v1.0.0 release artifacts are stored under:
releases/v1.0.0/
- deployment-manifest.mainnet.json
- deployment-records-full.mainnet.json
- ATAMO_DEPLOYMENT_STATEMENT_mainnet_2026-05-16.txt
- SHA256SUMS
- SHA256SUMS.asc
- ATAMO_RELEASE_PGP_PUBLIC_KEY.asc
4. Failure conditions
If any of the following conditions occur, the release must be treated as untrusted:
- Git tag signature verification fails
- PGP signature verification fails
- signing key fingerprint does not match the official fingerprint
- checksums do not match SHA256SUMS
- release artifacts differ from repository references
- contract addresses do not match the official deployment records
- proxy or implementation relationships do not match official records
In these cases, do not use the release and treat it as potentially compromised until verified through official channels.
5. Relation to contract deployment
Release verification is part of the deployment verification chain.
Reviewed source code, signed release artifacts, and deployed contracts should remain consistent across:
- signed Git tag
- release artifacts
- signed checksum manifest
- deployment manifest
- deployment records
- deployment statement
- contracts page registry
- verified blockchain records
6. Reviewer and exchange guidance
For users
Verify signatures and checksums before using release files in development or interaction.
Always verify the official ATMS token proxy address before using any wallet, explorer, exchange, or integration flow.
For exchanges and auditors
Validate that deployed contracts correspond to verified source code, that source code corresponds to signed releases, and that all references match the official deployment records.
Exchanges should integrate the SecureToken proxy address only. Implementation contracts must not be listed as user-facing token assets.
7. Official contract reference
Canonical ATMS token
The official ATAMO token on Ethereum Mainnet is the SecureToken proxy:
0x38604c42c16e29BbFbc5479668453f18cB6cf335
Users should interact only with the proxy contract. Implementation contracts are for verification and audit review, not normal token interaction.
Governance and deployment addresses
ATAMO Custodian Safe:
0xe3b72bdb899364ce86949746D31CCba5f384b949
Timelock Proxy:
0x2778BC96422AeD7D7Ac7CE21372Aa42c525A86B8
Timelock Implementation:
0xb0d8dc6a08Cb4F93a795c53867ac990C8ce4B0E0
SecureToken Proxy:
0x38604c42c16e29BbFbc5479668453f18cB6cf335
SecureToken Implementation:
0xD0E06380aF1927c5d929625406d7E9896a80C09c
ATMSParticipationVault:
0x01273Ef57CE09C4Aa615E3bd95eF2b9DD54fd0E4
TokenActionRecorder:
0xAA7152784479Ed53147A12514602968327c9965E
8. Canonical release model
The canonical ATAMO v1.0.0 Ethereum Mainnet release is defined by:
- the signed Git tag v1.0.0
- the signed checksum manifest SHA256SUMS.asc
- the checksum file SHA256SUMS
- the deployment manifest
- the full deployment records
- the deployment statement
- verified Ethereum Mainnet contracts