keyfork/keyfork-user-guide/src/INSTALL.md

# Installing Keyfork

Keyfork is hosted using the Distrust Cargo repository. For the fastest
installation path (this is not recommended), crates may be installed directly
from the Cargo repository:

```sh
cargo install --index https://git.distrust.co/public/_cargo-index keyfork@0.1.0
```

The index is managed by Distrust, but is not signed by developers when commits
are created, so a safer alternative may be to build from source. It is
recommended to perform these operations on a machine dedicated for the purpose
of building Rust binaries, to avoid the risk of building a compromised binary.

```sh
git clone https://git.distrust.co/public/keyfork
cd keyfork
# git checkout keyfork-0.1.0
git verify-commit HEAD
cargo install --locked --path keyfork
```

This will build Keyfork from source, using a local `Cargo.lock` file to ensure
dependencies are not updated automatically.

## Installing Plumbing Binaries

Keyfork offers "plumbing" binaries (as opposed to the "porcelain" `keyfork`)
that offer a smaller [SBOM], allowing users with a smaller feature requirement
to lessen the requirements for code review. Plumbing binaries can be installed
the same way Keyfork is installed, either through the registry or by building
locally. Plumbing binaries are grouped by crates of shared dependencies. For
instance, `keyfork-plumbing` includes all binaries using only shared
dependencies. Eventually, `keyfork-plumbing-openpgp` may contain all
dependencies relevant to OpenPGP (such as the `keyfork-shard` variants,
`keyfork-derive-openpgp`, and `keyfork-provision-openpgp-card`). There may also
be plumbing binaries that exist by themselves, without a plumbing package.
Unfortunately, Cargo offers no convenient way to install a binary from any
package on a workspace, so the information about which package contains which
binary must be known beforehand.

<!-- TODO:
  Should plumbing binaries be their own packages?
  A convenient command to find the package for a binary should be provided.
  -->

```sh
cargo install --index https://git.distrust.co/public/_cargo-index keyfork-plumbing@0.1.0
cargo install --locked --path keyfork-plumbing --bin keyfork-entropy
```

[SBOM]: https://en.wikipedia.org/wiki/SBOM
keyfork-user-guide: initial commit 2023-10-18 11:33:50 +00:00			`# Installing Keyfork`

			`Keyfork is hosted using the Distrust Cargo repository. For the fastest`
			`installation path (this is not recommended), crates may be installed directly`
			`from the Cargo repository:`

			```sh
			`cargo install --index https://git.distrust.co/public/_cargo-index keyfork@0.1.0`
			```

			`The index is managed by Distrust, but is not signed by developers when commits`
			`are created, so a safer alternative may be to build from source. It is`
			`recommended to perform these operations on a machine dedicated for the purpose`
			`of building Rust binaries, to avoid the risk of building a compromised binary.`

			```sh
			`git clone https://git.distrust.co/public/keyfork`
			`cd keyfork`
			`# git checkout keyfork-0.1.0`
			`git verify-commit HEAD`
			`cargo install --locked --path keyfork`
			```

			This will build Keyfork from source, using a local `Cargo.lock` file to ensure
			`dependencies are not updated automatically.`

			`## Installing Plumbing Binaries`

			Keyfork offers "plumbing" binaries (as opposed to the "porcelain" `keyfork`)
			`that offer a smaller [SBOM], allowing users with a smaller feature requirement`
			`to lessen the requirements for code review. Plumbing binaries can be installed`
			`the same way Keyfork is installed, either through the registry or by building`
			`locally. Plumbing binaries are grouped by crates of shared dependencies. For`
			instance, `keyfork-plumbing` includes all binaries using only shared
			dependencies. Eventually, `keyfork-plumbing-openpgp` may contain all
			dependencies relevant to OpenPGP (such as the `keyfork-shard` variants,
			`keyfork-derive-openpgp`, and `keyfork-provision-openpgp-card`). There may also
			`be plumbing binaries that exist by themselves, without a plumbing package.`
			`Unfortunately, Cargo offers no convenient way to install a binary from any`
			`package on a workspace, so the information about which package contains which`
			`binary must be known beforehand.`

			`<!-- TODO:`
			`Should plumbing binaries be their own packages?`
			`A convenient command to find the package for a binary should be provided.`
			`-->`

			```sh
			`cargo install --index https://git.distrust.co/public/_cargo-index keyfork-plumbing@0.1.0`
			`cargo install --locked --path keyfork-plumbing --bin keyfork-entropy`
			```

			`[SBOM]: https://en.wikipedia.org/wiki/SBOM`