checkrd

Install

Install the Checkrd CLI on macOS, Linux, or Windows. Single static binary, no runtime dependencies.

Install the CLI

checkrd is a single static binary. There's no runtime to install — pick whichever package manager you already use.

Homebrew (macOS, Linux)

bash
brew install checkrd/tap/checkrd

This installs the checkrd binary into Homebrew's prefix and wires checkrd upgrade to use brew upgrade so future updates flow through the same channel.

npm

bash
npm install -g @checkrd/cli

The npm package is a thin wrapper that downloads the right per-platform binary at install time (the same esbuild-style optionalDependencies pattern that esbuild and swc use). The actual binary lives in node_modules/@checkrd/cli-<target>/.

Useful for CI images that already have Node available — no extra package manager to learn.

Shell installer (macOS, Linux)

bash
curl -fsSL https://checkrd.io/install.sh | sh

Detects your OS + architecture, downloads the matching binary from GitHub Releases, and drops it in ~/.checkrd/bin. Add that to your PATH:

bash
export PATH="$HOME/.checkrd/bin:$PATH"

The installer is signed by sigstore and verifies its own signature before running. You can audit the script before piping to sh — it's the standard cargo-dist-generated installer, ~150 lines of POSIX shell.

PowerShell (Windows)

powershell
irm https://checkrd.io/install.ps1 | iex

Or install the MSI from the latest release for a system-wide install with proper Add/Remove Programs integration.

Cargo

bash
cargo install checkrd-cli

For Rust developers who already have a toolchain set up. Slower than the prebuilt binary install (compiles from source), but works on any target the Rust compiler supports.

Verify

bash
checkrd --version
# checkrd 0.1.0

Shell completions

Generate completions for your shell and source them in your shell's rc file:

bash
# Bash
eval "$(checkrd completions bash)"

# Zsh
checkrd completions zsh > ~/.zsh/completions/_checkrd
# add `fpath+=~/.zsh/completions` and `autoload -U compinit && compinit` to ~/.zshrc

# Fish
checkrd completions fish | source
# or persist: checkrd completions fish > ~/.config/fish/completions/checkrd.fish

# PowerShell
checkrd completions power-shell | Out-String | Invoke-Expression

macOS Gatekeeper

The first time you run a binary downloaded outside the Mac App Store, Gatekeeper may quarantine it. If you see "checkrd cannot be opened because the developer cannot be verified," run:

bash
xattr -d com.apple.quarantine $(which checkrd)

Or install via Homebrew, which handles signing transparently.

Linux secret service

The CLI stores credentials in the OS keychain via libsecret. On a fresh Linux install you may need:

bash
sudo apt install libsecret-1-0 gnome-keyring

On headless servers where no secret service is running, set CHECKRD_API_KEY in your environment instead — the CLI checks env before keychain.

Verify your download

Every checkrd release ships with five layers of supply-chain attestation. Use whichever fit your security policy — none are required for the CLI to run.

Build provenance (Sigstore + SLSA L2)

Every binary is signed via Sigstore keyless signing through GitHub's OIDC provider. The signed bundle lands in GitHub's transparency log. Verify with the GitHub CLI:

bash
gh attestation verify $(which checkrd) --repo checkrd/checkrd
# Loaded digest sha256:...
# ✓ Verification succeeded!
#
# The following policy criteria were met:
# - Predicate type must match: https://slsa.dev/provenance/v1
# - Source Repository must match: https://github.com/checkrd/checkrd
# - Workflow must match: .github/workflows/checkrd-cli-release.yml

If gh attestation verify returns "no attestation found", the binary was tampered with after release or you downloaded from a third-party mirror. Re-download from the official GitHub Release.

Auditable binary (cargo-auditable)

Every binary embeds its Cargo.lock-derived dependency tree in a .dep-v0 ELF/Mach-O/PE section (~4 KB overhead). Query it offline against the RustSec advisory database:

bash
cargo install cargo-audit --features=fix
cargo audit bin $(which checkrd)
# Crate:    checkrd-cli
# Version:  0.1.0
# Loaded:   358 dependencies from binary
# Crate vulnerabilities found: 0

Trivy, Grype, Syft, and osv-scanner all read the same section if you prefer them over cargo audit.

SBOM (CycloneDX 1.6 + SPDX 2.3)

Each release includes both formats as assets:

bash
gh release download checkrd-cli-vX.Y.Z \
  --pattern '*.cdx.json' --pattern '*.spdx.json' \
  --repo checkrd/checkrd

# Feed to your scanner of choice
trivy sbom checkrd-cli.cdx.json
grype sbom:checkrd-cli.cdx.json

The SPDX file is also auto-submitted to GitHub's dependency graph on every release, so Dependabot alerts fire automatically on the deps that actually shipped.

npm provenance

@checkrd/cli is published with --provenance. The npm registry shows a green "Provenance" badge on the package page. Verify locally:

bash
npm audit signatures
# audited 1 package in 1s
# 1 package has a verified registry signature

macOS Gatekeeper + Windows Authenticode

When code-signing certificates are provisioned, the .tar.gz/.msi artifacts are signed and notarized. macOS verifies automatically on first launch; explicit check:

bash
spctl --assess --type execute -vv $(which checkrd)
# checkrd: accepted
# source=Notarized Developer ID

Windows:

powershell
Get-AuthenticodeSignature (Get-Command checkrd).Path
# SignerCertificate: ...
# Status:           Valid

For the engineer's reference on what each layer covers and how to procure the optional code-signing certs, see docs/SUPPLY_CHAIN.md in the repo.

Next step

bash
checkrd login

Authenticate via your browser. The CLI opens the dashboard, you sign in once, and a long-lived API key gets stored in your OS keychain. See Authentication for the full flow.

Cloudflare WorkersAuthentication