Installation and signature verification
Installation
By downloading binary from the release
For instance, if you are using Linux on an AMD64 architecture:
# Download the binary
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.42.0/vendir-linux-amd64
# Move the binary in to your PATH
mv vendir-linux-amd64 /usr/local/bin/vendir
# Make the binary executable
chmod +x /usr/local/bin/vendir
Via Homebrew (macOS or Linux)
$ brew tap carvel-dev/carvel
$ brew install vendir
$ vendir version
Verify checksums file signature
Install cosign on your system https://docs.sigstore.dev/system_config/installation/
The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:
# Download the checksums file, certificate and signature
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.42.0/checksums.txt
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.42.0/checksums.txt.pem
curl -LO https://github.com/carvel-dev/vendir/releases/download/v0.42.0/checksums.txt.sig
# Verify the checksums file
cosign verify-blob checksums.txt \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-identity-regexp=https://github.com/carvel-dev \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
Verify binary integrity
To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature.
# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing
Changelog
- 064b9c4 Allow additional CA certs to be supplied via vendir YAML when pulling an imgpkg bundle by @100mik
- f6eaffe fix: avoid panic by checking response for nil by @Zebradil
📂 Files Checksum
40afd08db3b1ee96350f1ab09bd9208aa7edec458c4b5f167eb71ac076576571 ./vendir-linux-amd64
683ad9c8174f9f81dc17b2fd81f79a7f83a40a942201ae15a50d97a586fb16be ./vendir-windows-amd64.exe
a47b6aab79f4fdd66136e8a8434b6d8c8fc16ad4c38c60fcc5e95475fd333e24 ./vendir-darwin-arm64
df7487c414da4425aa682271f236ae2912c828eb8b1aaebbb2f1af010ef5b289 ./vendir-darwin-amd64
fd631a32207efd79d84911186c50d80cbd136a4cddb5dffa3f11c3f7689c6ff0 ./vendir-linux-arm64