README
¶
sfetch
Secure, verifiable, zero-trust downloader for the uncertain world
The one-liner
sfetch is the curl | sh you can actually trust in 2026.
A tiny (~3 MB), statically-linked Go binary that downloads release artifacts from GitHub (or any URL) and refuses to install them unless both checksum and ed25519 signature verify.
No runtime dependencies. No package manager required. Works in CI, Docker, and air-gapped environments.
Why sfetch exists
Every modern engineering org signs their releases now.
Yet we still ship 15-line bash bootstrap scripts that do manual curl → sha256sum → maybe cosign verify.
sfetch is the missing 1% that deletes those scripts forever.
Security & Verification
See docs/security.md.
Asset Discovery
Auto-selects via heuristics (docs/pattern-matching.md).
Signature verification
- Use
--key <64-hex-bytes>for raw.sig/.minisiged25519 signatures. - Use
--pgp-key-file fulmen-release.asc,--pgp-key-url https://example/key.asc, or--pgp-key-asset fulmen-release.asc(plus optional--gpg-bin) for ASCII-armored.ascsignatures.--pgp-key-filetakes precedence and also supports http(s) URLs; next comes--pgp-key-url, then--pgp-key-asset, and finally auto-detect of.ascassets containing keywords like "key"/"release". - See
docs/key-handling.mdfor exporting keys, testing them safely, and wiring CI. - Need concrete flag combos? Run
sfetch -helpextendedto print the embedded quickstart.
Build, versioning & install
We use CalVer in vYYYY.MM.DD format (e.g., v2025.12.05). If multiple releases ship on the same day we append a revision (v2025.12.05.1, v2025.12.05.2, ...). See CHANGELOG.md, RELEASE_NOTES.md, and docs/releases/ for per-release detail.
make build # produces bin/sfetch_${GOOS}_${GOARCH}
make install # installs to ~/.local/bin by default
INSTALL_BINDIR=~/bin make install # override install location
- Edit
buildconfig.mkto change the canonical binary name (NAME) or default install destination once. - On Windows,
make installtargets%USERPROFILE%\bin; ensure that directory is present inPATH.
Manual signing workflow
CI uploads unsigned archives. Maintainers sign and re-upload artifacts with:
RELEASE_TAG=v2025.12.05 make release-download # needs GitHub CLI (gh)
PGP_KEY_ID=security@fulmenhq.dev RELEASE_TAG=v2025.12.05 make release-sign
# Export the public key used above
mkdir -p dist/release
gpg --armor --export security@fulmenhq.dev > dist/release/sfetch-release-signing-key.asc
make verify-release-key
RELEASE_TAG=v2025.12.05 make release-notes # copies RELEASE_NOTES.md
RELEASE_TAG=v2025.12.05 make release-upload # gh release upload --clobber
Set RELEASE_TAG to the tag you're publishing. The scripts in scripts/ can be used individually if you prefer manual control.
# Install the latest goneat (or any signed tool) in one line
sfetch --repo fulmenhq/goneat --latest --output /usr/local/bin/goneat --pgp-key-file fulmen-release.asc
# Or pin exactly
sfetch --repo fulmenhq/goneat --tag v2025.12.3 --output /usr/local/bin/goneat --pgp-key-file fulmen-release.asc
Documentation
¶
There is no documentation for this package.
Source Files