diff --git a/pkg/config/lima_config_applier.go b/pkg/config/lima_config_applier.go
index 02e7715fa..93e484fe5 100644
--- a/pkg/config/lima_config_applier.go
+++ b/pkg/config/lima_config_applier.go
@@ -26,12 +26,24 @@ const (
 	sociServiceDownloadURLFormat             = "https://raw.githubusercontent.com/awslabs/soci-snapshotter/v%s/soci-snapshotter.service"
 	//nolint:lll // command string
 	sociInstallationScriptFormat = `%s
+#!/bin/bash
 if [ ! -f /usr/local/bin/soci ]; then
 	# download soci
 	set -e
+
+	# pull release tarball
+	release_tarball="%s"
+	curl --retry 2 --retry-max-time 120 -OL "%s"
+
+	# pull release shasum
+	release_tarball_shasum="%s"
 	curl --retry 2 --retry-max-time 120 -OL "%s"
+
+	# validate shasum
+	sha256sum --check --status ${release_tarball_shasum} || (echo "error: shasum verification failed for SOCI release tarball" && exit 1)
+
 	# move to usr/local/bin
-	tar -C /usr/local/bin -xvf %s ./soci ./soci-snapshotter-grpc
+	tar -C /usr/local/bin -xvf ${release_tarball} ./soci ./soci-snapshotter-grpc
 
 	# install as a systemd service
 	curl --retry 2 --retry-max-time 120 -OL "%s"
@@ -237,9 +249,11 @@ func (lca *limaConfigApplier) provisionSnapshotters(limaCfg *limayaml.LimaYAML)
 func (lca *limaConfigApplier) provisionSociSnapshotter(limaCfg *limayaml.LimaYAML) {
 	sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, lca.systemDeps.Arch())
 	sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
+	sociShaSumFileName := sociFileName + ".sha256sum"
+	sociShaSumDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociShaSumFileName)
 	sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
 	sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat, sociInstallationProvisioningScriptHeader,
-		sociDownloadURL, sociFileName, sociServiceDownloadURL)
+		sociFileName, sociDownloadURL, sociShaSumFileName, sociShaSumDownloadURL, sociServiceDownloadURL)
 	limaCfg.Provision = append(limaCfg.Provision, limayaml.Provision{
 		Mode:   "system",
 		Script: sociInstallationScript,
diff --git a/pkg/config/lima_config_applier_darwin_test.go b/pkg/config/lima_config_applier_darwin_test.go
index 535666f00..973718aba 100644
--- a/pkg/config/lima_config_applier_darwin_test.go
+++ b/pkg/config/lima_config_applier_darwin_test.go
@@ -110,11 +110,15 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
 			postRunCheck: func(t *testing.T, fs afero.Fs) {
 				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, "")
 				sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
+				sociShaSumFileName := sociFileName + ".sha256sum"
+				sociShaSumDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociShaSumFileName)
 				sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
 				sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat,
 					sociInstallationProvisioningScriptHeader,
-					sociDownloadURL,
 					sociFileName,
+					sociDownloadURL,
+					sociShaSumFileName,
+					sociShaSumDownloadURL,
 					sociServiceDownloadURL)
 
 				buf, err := afero.ReadFile(fs, "/override.yaml")
@@ -262,11 +266,15 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
 			postRunCheck: func(t *testing.T, fs afero.Fs) {
 				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, "")
 				sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
+				sociShaSumFileName := sociFileName + ".sha256sum"
+				sociShaSumDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociShaSumFileName)
 				sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
 				sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat,
 					sociInstallationProvisioningScriptHeader,
-					sociDownloadURL,
 					sociFileName,
+					sociDownloadURL,
+					sociShaSumFileName,
+					sociShaSumDownloadURL,
 					sociServiceDownloadURL)
 
 				buf, err := afero.ReadFile(fs, "/override.yaml")
@@ -321,11 +329,15 @@ func TestDiskLimaConfigApplier_Apply(t *testing.T) {
 			postRunCheck: func(t *testing.T, fs afero.Fs) {
 				sociFileName := fmt.Sprintf(sociFileNameFormat, sociVersion, "")
 				sociDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociFileName)
+				sociShaSumFileName := sociFileName + ".sha256sum"
+				sociShaSumDownloadURL := fmt.Sprintf(sociDownloadURLFormat, sociVersion, sociShaSumFileName)
 				sociServiceDownloadURL := fmt.Sprintf(sociServiceDownloadURLFormat, sociVersion)
 				sociInstallationScript := fmt.Sprintf(sociInstallationScriptFormat,
 					sociInstallationProvisioningScriptHeader,
-					sociDownloadURL,
 					sociFileName,
+					sociDownloadURL,
+					sociShaSumFileName,
+					sociShaSumDownloadURL,
 					sociServiceDownloadURL)
 
 				buf, err := afero.ReadFile(fs, "/override.yaml")