Portable release packs for software you hand off.

Bundle binary, SBOM, provenance, and signature into one pack. Verified offline.

Create a pack GitHub
lens.html

This pack is valid.

✓ 4 files hashed ✓ provenance bound ✓ Ed25519 signed 7/7

What goes into a pack

myapp-v2.1.0.tar.gzbinary
myapp-v2.1.0.spdx.jsonsbom
myapp-v2.1.0.intoto.jsonlprovenance
myapp-v2.1.0.sigsignature

PX bundles your release artifacts into one portable pack.
A 4KB manifest records every hash, rule check, and Ed25519 signature.
Recipients open one HTML file to review it all — offline.

The EU Cyber Resilience Act takes effect December 2027, with reporting obligations starting September 2026. PX helps you meet artifact bundling and integrity requirements today.

Signing tools sign. PX packs and hands off.

SignsBundles as setOffline review
Sigstore cosign
GitHub Attestations
SLSA provenance
PX

PX does not replace signing tools.
It consumes their output and adds the handoff layer.

What works today.

  • SHA-256 hash integrity
  • Ed25519 manifest signature
  • Profile-driven rule checks
  • Provenance-to-binary binding
  • Fail-close enforcement
  • GitHub Action
  • Zero dependencies

Roadmap

  • Signature chain of trust
  • OCI registry integration
  • SBOM content validation

Try PX in 15 seconds.

$ npx px-pack init --demo sample data — one command, zero dependencies
$ npx px-pack pack --evidence=./dist/ --sign your release artifacts
Open Lens demo GitHub

PX v1 release artifacts are packed with PX. CI status →