diff --git a/.gitea/workflows/base-build.yml b/.gitea/workflows/base-build.yml
index d1223f5..3db42d8 100644
--- a/.gitea/workflows/base-build.yml
+++ b/.gitea/workflows/base-build.yml
@@ -29,6 +29,8 @@ jobs:
         run: |
           versions=(buster bullseye bookworm trixie docker-build)
 
+          rm -f sha256sums.txt
+
           for version in "${versions[@]}"; do
             echo "[INFO] Building Debian $version rootfs..."
             docker build --build-arg VERSION=$version -t fithwum/debian-$version-base .
@@ -38,14 +40,20 @@ jobs:
               fithwum/debian-$version-base \
               bash base-image-script/debian-${version}_pt1.sh
 
-            # Normalize tarball to expected structure
-            echo "[INFO] Normalizing archive output for $version..."
-            ROOTFS_ARCHIVE="debian-${version}.tar.bz2"
-            if [ -f "$ROOTFS_ARCHIVE" ]; then
-              mkdir -p "${version}"
-              mv "$ROOTFS_ARCHIVE" "${version}/rootfs-${version}.tar.bz2"
+            RAW_ARCHIVE="debian-${version}.tar.bz2"
+            FINAL_ARCHIVE="${version}/rootfs-${version}.tar.bz2"
+
+            if [[ -f "$RAW_ARCHIVE" ]]; then
+              mkdir -p "$(dirname "$FINAL_ARCHIVE")"
+              mv "$RAW_ARCHIVE" "$FINAL_ARCHIVE"
+
+              # Generate and log SHA256
+              CHECKSUM=$(sha256sum "$FINAL_ARCHIVE" | awk '{print $1}')
+              echo "[INFO] SHA256 for $FINAL_ARCHIVE: $CHECKSUM"
+              echo "$CHECKSUM  $FINAL_ARCHIVE" >> sha256sums.txt
             else
-              echo "[WARNING] Expected archive $ROOTFS_ARCHIVE not found for $version!"
+              echo "[ERROR] Archive for $version not found: $RAW_ARCHIVE"
+              exit 1
             fi
           done
 
@@ -53,6 +61,12 @@ jobs:
         run: |
           echo "[INFO] Looking for tarballs in workspace..."
           find . -name '*.tar.bz2' -ls
+      
+      - name: Upload SHA256 checksums
+        uses: actions/upload-artifact@v4
+        with:
+          name: sha256sums
+          path: sha256sums.txt
   # build-rootfs-archives:
   #   runs-on: docker-build
 
@@ -214,6 +228,9 @@ jobs:
         run: |
           git clone "https://${{ secrets.GIT_USERNAME }}:${{ secrets.GIT_TOKEN }}@gitea.fithwum.tech/fithwum/debian-base.git" upload-repo
 
+      - name: Copy checksum file into workspace
+        run: cp ../sha256sums.txt upload-repo/
+
       - name: Generate build-info.json per version
         run: |
           human_size() {
@@ -244,6 +261,12 @@ jobs:
             if [[ -z "$size_bytes" ]]; then size_bytes=0; fi
 
             size_human=$(human_size "$size_bytes")
+            
+            # Load SHA256 from file if available
+            SHA256=$(grep "/$version/rootfs-$version.tar.bz2" ../sha256sums.txt | awk '{print $1}')
+            if [[ -z "$SHA256" ]]; then
+              SHA256="unknown"
+            fi
 
             jq -n \
               --arg version "$version" \
@@ -253,6 +276,7 @@ jobs:
               --arg digest "$digest" \
               --arg image_size "$size_human" \
               --argjson image_size_bytes "$size_bytes" \
+              --arg sha256 "$SHA256" \
               '{
                 version: $version,
                 commit: $commit,
@@ -260,9 +284,10 @@ jobs:
                 image_tag: $image_tag,
                 digest: $digest,
                 image_size: $image_size,
-                image_size_bytes: $image_size_bytes
+                image_size_bytes: $image_size_bytes,
+                rootfs_sha256: $sha256
               }' > "$infofile"
-          done
+
 
       - name: Commit and push build-info if changed
         run: |