#!/bin/bash # Standalone installer for tektii-cli via get.tektii.com. # # Recommended usage (inspect before running): # curl -sSL https://get.tektii.com/install.sh -o install.sh && less install.sh && bash install.sh # # Quick install: # curl -sSL https://get.tektii.com/install.sh | bash # # Env overrides: # TEKTII_DOWNLOAD_URL — base URL for downloads (default: https://get.tektii.com/download/latest) # TEKTII_INSTALL_DIR — install directory (default: $CARGO_HOME/bin or ~/.cargo/bin) # # Pin to a specific version: # TEKTII_DOWNLOAD_URL=https://get.tektii.com/download/tektii-cli-v0.2.0 \ # curl -sSL https://get.tektii.com/install.sh | bash set -euo pipefail # Everything is wrapped in main() so a partially-downloaded script cannot # execute a truncated install sequence when piped to bash. Bash buffers until # the closing brace of main() before executing anything inside it. main() { local base_url install_dir target archive archive_url checksum_url base_url="${TEKTII_DOWNLOAD_URL:-https://get.tektii.com/download/latest}" install_dir="${TEKTII_INSTALL_DIR:-${CARGO_HOME:-$HOME/.cargo}/bin}" target="$(detect_target)" archive="tektii-cli-${target}.tar.xz" archive_url="${base_url}/${archive}" checksum_url="${archive_url}.sha256" say "Detected target: ${target}" say "Downloading ${archive}..." tmp_dir="" trap '[ -n "${tmp_dir:-}" ] && rm -rf "${tmp_dir}"' EXIT tmp_dir="$(mktemp -d 2>/dev/null || mktemp -d -t 'tektii-install')" download "${archive_url}" "${tmp_dir}/${archive}" download "${checksum_url}" "${tmp_dir}/${archive}.sha256" say "Verifying checksum..." verify_checksum "${tmp_dir}" "${archive}" say "Extracting..." mkdir -p "${tmp_dir}/extracted" # cargo-dist archives have a single top-level directory: strip it. tar -xJf "${tmp_dir}/${archive}" --strip-components=1 -C "${tmp_dir}/extracted" if [ ! -f "${tmp_dir}/extracted/tektii" ]; then err "Archive did not contain expected 'tektii' binary" fi say "Installing to ${install_dir}..." mkdir -p "${install_dir}" # Only copy the binary itself — never trust other files from the archive. cp "${tmp_dir}/extracted/tektii" "${install_dir}/tektii" chmod +x "${install_dir}/tektii" if command -v tektii >/dev/null 2>&1 && [ "$(command -v tektii)" = "${install_dir}/tektii" ]; then say "Installed $(tektii --version 2>/dev/null || echo tektii) to ${install_dir}" else say "Installed tektii to ${install_dir}" say "" say "Add it to your PATH:" say " export PATH=\"${install_dir}:\$PATH\"" say "" say "Add the line above to your ~/.bashrc or ~/.zshrc to make it permanent." fi } say() { printf 'tektii-cli: %s\n' "$*" } err() { say "ERROR: $*" >&2 exit 1 } detect_target() { local arch os arch="$(uname -m)" os="$(uname -s)" case "${os}" in Linux) case "${arch}" in x86_64 | amd64) echo "x86_64-unknown-linux-gnu" ;; aarch64 | arm64) echo "aarch64-unknown-linux-gnu" ;; *) err "Unsupported Linux architecture: ${arch}" ;; esac ;; Darwin) case "${arch}" in x86_64 | amd64) echo "x86_64-apple-darwin" ;; aarch64 | arm64) echo "aarch64-apple-darwin" ;; *) err "Unsupported macOS architecture: ${arch}" ;; esac ;; *) err "Unsupported OS: ${os}. See https://get.tektii.com/download/latest/ for direct downloads." ;; esac } download() { local url="$1" out="$2" # --proto '=https' and --tlsv1.2 enforce a modern TLS connection and refuse any # downgrade to http/ftp even if the URL or a redirect tries to switch protocols. if ! curl --proto '=https' --tlsv1.2 -sSfL "${url}" -o "${out}"; then err "Failed to download ${url}" fi } verify_checksum() { local dir="$1" file="$2" # macOS ships shasum, most Linux distros ship sha256sum. Both understand the # cargo-dist checksum file format (" "). if command -v sha256sum >/dev/null 2>&1; then (cd "${dir}" && sha256sum -c "${file}.sha256") \ || err "Checksum verification failed for ${file}" elif command -v shasum >/dev/null 2>&1; then (cd "${dir}" && shasum -a 256 -c "${file}.sha256") \ || err "Checksum verification failed for ${file}" else err "No SHA256 tool found (need 'sha256sum' or 'shasum')" fi } main "$@"