public
/
keyfork
5
0
Fork 0
Code Issues 29 Pull Requests 2 Packages Projects Releases Wiki Activity
keyfork/keyfork-user-guide/src/INSTALL.md

54 lines
2.2 KiB
Markdown
Raw Blame History

# Installing Keyfork
Keyfork is hosted using the Distrust Cargo repository. For the fastest
installation path (this is not recommended), crates may be installed directly
from the Cargo repository:
```sh
cargo install --index https://git.distrust.co/public/_cargo-index keyfork@0.1.0
```
The index is managed by Distrust, but is not signed by developers when commits
are created, so a safer alternative may be to build from source. It is
recommended to perform these operations on a machine dedicated for the purpose
of building Rust binaries, to avoid the risk of building a compromised binary.
```sh
git clone https://git.distrust.co/public/keyfork
cd keyfork
# git checkout keyfork-0.1.0
git verify-commit HEAD
cargo install --locked --path keyfork
```
This will build Keyfork from source, using a local `Cargo.lock` file to ensure
dependencies are not updated automatically.
## Installing Plumbing Binaries
Keyfork offers "plumbing" binaries (as opposed to the "porcelain" `keyfork`)
that offer a smaller [SBOM], allowing users with a smaller feature requirement
to lessen the requirements for code review. Plumbing binaries can be installed
the same way Keyfork is installed, either through the registry or by building
locally. Plumbing binaries are grouped by crates of shared dependencies. For
instance, `keyfork-plumbing` includes all binaries using only shared
dependencies. Eventually, `keyfork-plumbing-openpgp` may contain all
dependencies relevant to OpenPGP (such as the `keyfork-shard` variants,
`keyfork-derive-openpgp`, and `keyfork-provision-openpgp-card`). There may also
be plumbing binaries that exist by themselves, without a plumbing package.
Unfortunately, Cargo offers no convenient way to install a binary from any
package on a workspace, so the information about which package contains which
binary must be known beforehand.
<!-- TODO:
Should plumbing binaries be their own packages?
A convenient command to find the package for a binary should be provided.
-->
```sh
cargo install --index https://git.distrust.co/public/_cargo-index keyfork-plumbing@0.1.0
cargo install --locked --path keyfork-plumbing --bin keyfork-entropy
```
[SBOM]: https://en.wikipedia.org/wiki/SBOM
Reference in New Issue View Git Blame Copy Permalink