Skip to content

KEYTRON/WARP

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
.github/workflows
.github/workflows
 
 
docker
docker
 
 
src
src
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
build.sh
build.sh
 
 

Repository files navigation

WARP

WARP is a small package manager written in C. It downloads signed package archives, verifies integrity, and manages a local store under /var/lib/warp.

Alpine AlmaLinux Arch Artix Devuan Fedora Ubuntu Void Void Musl K1OS

View all WARP workflow runs

The trust model is simple:

  • GitHub release metadata is the source of truth for hashes and signatures.
  • Package delivery can happen through direct download, torrent, or P2P variants.
  • The downloaded bytes are always checked against the published SHA256 before installation.
  • Torrent/P2P are transport-only paths; they do not replace the GitHub-published hash and signature checks.
  • If a peer-sourced transfer stalls, WARP falls back to direct download.

Build

make

or:

./build.sh build

Install

sudo make install

or:

sudo ./build.sh install

By default the binary is installed to /usr/local/bin/warp. Set PREFIX if you want another location.

Commands

  • warp search <query>
  • warp install <package>
  • warp remove <package>
  • warp list
  • warp rollback <package>
  • warp info <package>
  • warp update
  • warp keygen [privkey_hex pubkey_hex]
  • warp sign <file>
  • warp pack <directory>

Release/index layout

The package index is expected at:

https://github.com/KEYTRON/WARP/releases/download/packages-v1/index.json

Package archives are expected to be published from the same repository under release assets.

Variants

Package entries can optionally define a variants array. Each variant can carry:

  • kind: direct, torrent, magnet, p2p, http, https, or file
  • url: delivery URL or magnet URI
  • sha256: expected archive hash
  • signature: optional signature for the variant metadata
  • priority: higher numbers win within the same transport class

If no variants array exists, WARP falls back to the legacy top-level url and sha256 fields.

Signing

Use warp sign <file> [privkey_hex] to create a <file>.sig sidecar with a base64 Ed25519 signature. The same keypair from warp keygen can be used to sign release metadata such as index.json.

Use warp keygen [privkey_hex pubkey_hex] to write the signing keypair to custom paths when you do not want to store release keys under /root.

WARP expects the package index and its signature from GitHub release assets:

  • index.json
  • index.json.sig

Variant metadata inside index.json may point to torrent or magnet URLs, but verification still uses the GitHub-published hash and signature after the payload is fetched.

For release indexes, the signed file and signature live side by side:

  • index.json
  • index.sig

About

Standalone C package manager with signed releases, torrent/P2P variants, and local store

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

WARP packages-v1 Latest
Apr 21, 2026

Packages

 
 
 

Contributors

Languages