Binstall is a tool to fetch and install Rust-based executables as binaries. It aims to be a drop-in replacement for cargo install in most cases. Install it today with cargo install cargo-binstall, from the binaries below, or if you already have it, upgrade with cargo binstall cargo-binstall.
[Reddit] [Bluesky] [Twitter] [Masto]
In this release:
-
Initial support for verifying package signatures! (#1 #1345 #1382 #1383)
After a lot of discussions, we now support verifying signatures for downloaded files. This release has support for a single algorithm, minisign. We expect to implement more later, and would warmly welcome contributions in this regard.
With this comes two new options:
--only-signedwill refuse to install non-signed packages, and--skip-signaturesdisables the functionality entirely (for testing only!).Adding signature support for your package as a first party requires adding to your Cargo.toml: we don't perform auto-detection of signature schemes at this juncture. Documentation and a guide is available in SIGNING.md.
The 3rd-party quick-install repository of packages (part of the cargo-bins umbrella organisation) has already implemented signing; if you only want first-party signed packages you should add
--disable-strategies quick-install. -
Binstall's releases are now signed. (#1347 #1398 #1400)
We use a just-in-time ephemeral key or "keyless" setup which generates a brand new signing key for every release.
You can find the public key for each release in a number of places:
- in the crate's Cargo.toml metadata (this is where Binstall looks for it)
- as the
minisign.pubfile in the packaged source crate (from crates.io) - as the
minisign.pubfile in the downloads below - as the
minisign.pubfile in the.full.variants of the packages below
Of course, Binstall ^1.4.1 is able to verify its own signature:
cargo binstall -y --only-signed cargo-binstall