Skip to content

Latest commit

 

History

History
117 lines (86 loc) · 3.02 KB

INSTALL.md

File metadata and controls

117 lines (86 loc) · 3.02 KB

Install

tfprovidercheck is written in Go. So you only have to install a binary in your PATH.

There are some ways to install tfprovidercheck.

  1. Homebrew
  2. Scoop
  3. aqua
  4. GitHub Releases
  5. Build an executable binary from source code yourself using Go

Homebrew

You can install tfprovidercheck using Homebrew.

brew install suzuki-shunsuke/tfprovidercheck/tfprovidercheck

Scoop

You can install tfprovidercheck using Scoop.

scoop bucket add suzuki-shunsuke https://github.com/suzuki-shunsuke/scoop-bucket
scoop install tfprovidercheck

aqua

You can install tfprovidercheck using aqua.

aqua g -i suzuki-shunsuke/tfprovidercheck

Build an executable binary from source code yourself using Go

go install github.com/suzuki-shunsuke/tfprovidercheck/cmd/tfprovidercheck@latest

GitHub Releases

You can download an asset from GitHub Releases. Please unarchive it and install a pre built binary into $PATH.

Verify downloaded assets from GitHub Releases

You can verify downloaded assets using some tools.

  1. GitHub CLI
  2. slsa-verifier
  3. Cosign

1. GitHub CLI

You can install GitHub CLI by aqua.

aqua g -i cli/cli
version=v1.0.1
asset=tfprovidercheck_darwin_arm64.tar.gz
gh release download -R suzuki-shunsuke/tfprovidercheck "$version" -p "$asset"
gh attestation verify "$asset" \
  -R suzuki-shunsuke/tfprovidercheck \
  --signer-workflow suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml

2. slsa-verifier

You can install slsa-verifier by aqua.

aqua g -i slsa-framework/slsa-verifier
version=v1.0.1
asset=tfprovidercheck_darwin_arm64.tar.gz
gh release download -R suzuki-shunsuke/tfprovidercheck "$version" -p "$asset" -p multiple.intoto.jsonl
slsa-verifier verify-artifact "$asset" \
  --provenance-path multiple.intoto.jsonl \
  --source-uri github.com/suzuki-shunsuke/tfprovidercheck \
  --source-tag "$version"

3. Cosign

You can install Cosign by aqua.

aqua g -i sigstore/cosign
version=v1.0.1
checksum_file="tfprovidercheck_${version#v}_checksums.txt"
asset=tfprovidercheck_darwin_arm64.tar.gz
gh release download "$version" \
  -R suzuki-shunsuke/tfprovidercheck \
  -p "$asset" \
  -p "$checksum_file" \
  -p "${checksum_file}.pem" \
  -p "${checksum_file}.sig"
cosign verify-blob \
  --signature "${checksum_file}.sig" \
  --certificate "${checksum_file}.pem" \
  --certificate-identity-regexp 'https://github\.com/suzuki-shunsuke/go-release-workflow/\.github/workflows/release\.yaml@.*' \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  "$checksum_file"
cat "$checksum_file" | sha256sum -c --ignore-missing