Update build-test.sh to verify release SHA256 and local stamp

Co-authored-by: Cursor <cursoragent@cursor.com>

build-test.sh

@@ -10,8 +10,28 @@ sleep 0.5
 echo "==> Cleaning previous build..."
 rm -rf .build/Pommedoro.app .build/Pommedoro.dmg
 
-echo "==> Building DMG..."
-make dmg
+echo "==> Building release (DMG + SHA256)..."
+make release
+
+echo "==> Verifying SHA256 file was generated..."
+if [ ! -f releases/Pommedoro.dmg.sha256 ]; then
+    echo "==> FAIL: releases/Pommedoro.dmg.sha256 not found."
+    exit 1
+fi
+SHA_CONTENT="$(cat releases/Pommedoro.dmg.sha256)"
+if [ ${#SHA_CONTENT} -ne 64 ]; then
+    echo "==> FAIL: SHA256 file content is not a valid 64-char hex hash."
+    exit 1
+fi
+echo "==> OK: SHA256 = ${SHA_CONTENT}"
+
+echo "==> Verifying SHA256 matches DMG..."
+ACTUAL_SHA="$(shasum -a 256 releases/Pommedoro.dmg | awk '{print $1}')"
+if [ "${SHA_CONTENT}" != "${ACTUAL_SHA}" ]; then
+    echo "==> FAIL: SHA256 mismatch (file: ${SHA_CONTENT}, actual: ${ACTUAL_SHA})."
+    exit 1
+fi
+echo "==> OK: SHA256 matches DMG."
 
 echo "==> Simulating download quarantine on DMG..."
 xattr -w com.apple.quarantine "0081;67890abc;Safari;12345678-1234-1234-1234-123456789012" .build/Pommedoro.dmg
@@ -42,7 +62,19 @@ else
     echo "==> OK: no quarantine attribute."
 fi
 
+echo "==> Verifying SHA256 was stamped locally..."
+SHA_FILE="${HOME}/Library/Application Support/Pommedoro/current.sha256"
+if [ ! -f "${SHA_FILE}" ]; then
+    echo "==> FAIL: local SHA256 stamp not found at ${SHA_FILE}."
+    hdiutil detach /Volumes/Pommedoro -quiet 2>/dev/null || true
+    exit 1
+fi
+LOCAL_SHA="$(cat "${SHA_FILE}")"
+echo "==> OK: local SHA256 stamp = ${LOCAL_SHA}"
+
 hdiutil detach /Volumes/Pommedoro -quiet 2>/dev/null || true
 
 echo ""
-echo "==> Done. DMG at: .build/Pommedoro.dmg"
+echo "==> All checks passed."
+echo "==> DMG at: .build/Pommedoro.dmg"
+echo "==> Release at: releases/Pommedoro.dmg + releases/Pommedoro.dmg.sha256"