Installation
Static binaries
Section titled “Static binaries”Pre-built static binaries are available from GitHub Releases for:
| Platform | Architecture |
|---|---|
| Linux | x86_64, aarch64, riscv64 |
| macOS | x86_64, aarch64 |
| Windows | x86_64, aarch64 |
Download the binary for your platform, make it executable, and place it on your PATH.
Verifying a download
Section titled “Verifying a download”Every released binary is signed with a Sigstore-backed GitHub artifact attestation, and the attestation bundle is published as a Release asset named <binary>.sigstore.json alongside the binary. This lets you verify a download on any platform using cosign v2.4.0 or later:
VERSION=<x.y.z>BASE="https://github.com/zantarix/cursus/releases/download/cursus@${VERSION}"
# Download the binary and its co-located bundlecurl -fsSLO "${BASE}/cursus-linux-x86_64"curl -fsSLO "${BASE}/cursus-linux-x86_64.sigstore.json"
# Verify offline against the Sigstore public-good trust rootcosign verify-blob-attestation \ --bundle cursus-linux-x86_64.sigstore.json \ --new-bundle-format \ --certificate-identity "https://github.com/zantarix/cursus/.github/workflows/release-artifacts.yml@refs/tags/cursus@${VERSION}" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ cursus-linux-x86_64Substitute the artifact name for your platform (for example cursus-osx-aarch64, cursus-windows-x86_64.exe, or cursus-linux-riscv64gc for riscv64); the bundle asset is always the binary name with .sigstore.json appended. Verification fails closed if the binary or bundle has been tampered with. This is the same bundle the npm package verifies against. See ADR-061 and the security policy for the full trust chain.
If you use Node.js, you can install Cursus via npm. The package downloads the appropriate static binary for your platform during postinstall. Each download is verified against its co-located Sigstore attestation bundle (the <binary>.sigstore.json Release asset) to ensure the build is an official one. See the security policy for details on the verification chain and how to audit it manually.
npm install --save-dev @zantarix/cursusThis makes cursus available via npx cursus or in npm scripts.
From source
Section titled “From source”With a Rust toolchain installed:
cargo install cursus-binThis builds from source and installs the binary to ~/.cargo/bin/.
cargo-binstall
Section titled “cargo-binstall”If you have cargo-binstall installed, you can install the prebuilt binary from GitHub Releases without compiling from source:
cargo binstall cursus-binThis downloads the matching static binary for your host triple (including glibc Linux, which is mapped to the equivalent musl artifact) and installs it to ~/.cargo/bin/. cargo-binstall verifies the download via HTTPS; for stronger identity-pinned provenance verification, follow the token-free cosign steps above against the installed binary (downloading the matching .sigstore.json bundle for its artifact), or run gh attestation verify --repo zantarix/cursus ~/.cargo/bin/cursus if you have a GitHub token available.
cargo-run-bin
Section titled “cargo-run-bin”If you pin tooling versions per-repository using cargo-run-bin, you can declare cursus as a project-scoped binary in your own Cargo.toml:
[package.metadata.bin]cursus-bin = { version = "<desired-version>" }When cargo-binstall is also installed, cargo-run-bin will delegate to it and pick up the prebuilt binary, so the install is a fast download rather than a from-source build.
Verify installation
Section titled “Verify installation”cursus --version