thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions

Add curl|bash installer + wire upload into publish script

Browse source 
scripts/install.sh is the one-command installer end users run as

  curl -fsSL https://releases.thaloco.com/banger/install.sh | bash

Design choices:

* Runs as the invoking user. All network work + signature verification
  happens unprivileged; sudo is only re-execed for the actual install
  step that writes to /usr/local and creates systemd units.
* Right before the sudo prompt, the script prints a plain-language
  summary of exactly what's about to happen — the file paths it will
  create and a one-line "why sudo" — so the user authorises a known
  scope rather than the whole pipeline. Detail link in the docs.
* Uses openssl (universally available) for signature verification, not
  cosign. cosign is needed only by the *signer*, never the verifier.
* No jq dependency. The latest_stable field is extracted from the
  manifest with grep+sed, since the manifest shape is well-defined and
  we control it.
* /dev/tty fallback for the confirmation prompt so it works through
  the curl|bash pipe.
* --yes for non-interactive CI use, --user for installing into
  ~/.local/bin without touching system paths, --version vX.Y.Z to pin.

publish-banger-release.sh now uploads install.sh to the bucket root
on every publish, so the curl URL is stable but the script logic
matches the latest verified release. It also runs a key-drift check:
if scripts/install.sh's embedded cosign public key differs from the
one in internal/updater/verify_signature.go, publishing aborts. The
two copies must stay in sync or one of them ends up rejecting every
release.

README's Quick start now leads with the installer one-liner and
documents the audit-first variant alongside it; building from source
moves below.

Smoke-tested end to end against the live bucket with --user mode:
manifest fetch → tarball download → cosign signature verify → hash
verify → extract → install. The installed binary reports v0.1.0 at
commit 6fdebd9, matching the published artifact.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Thales Maciel 2026-04-29 14:06:34 -03:00
parent d1c4619a01
commit 3c29af55a2
No known key found for this signature in database
GPG key ID: 33112E6833C34679
3 changed files with 296 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

18
README.md
View file

@ -6,6 +6,24 @@ One-command development sandboxes on Firecracker microVMs.
## Quick start
```bash
curl -fsSL https://releases.thaloco.com/banger/install.sh | bash
banger vm run --name sandbox
```
The installer runs as you, downloads + verifies the latest signed
release, then prompts before re-execing `sudo` for the system-install
step (writing `/usr/local/bin` + creating systemd units). If you'd
rather audit the script first:
```bash
curl -fsSL https://releases.thaloco.com/banger/install.sh -o install.sh
less install.sh
bash install.sh
```
Or build from source:
```bash
make build
sudo ./build/bin/banger system install --owner "$USER"