cmdx is written in Go. So you only have to install a binary in your PATH.
There are some ways to install cmdx.
You can install cmdx using Homebrew.
brew install suzuki-shunsuke/cmdx/cmdxYou can install cmdx using aqua.
aqua g -i suzuki-shunsuke/cmdxgo install github.com/suzuki-shunsuke/cmdx/cmd/cmdx@latestYou can download an asset from GitHub Releases.
Please unarchive it and install a pre built binary into $PATH.
You can verify downloaded assets using some tools.
You can install GitHub CLI by aqua.
aqua g -i cli/cliversion=v1.7.5
asset=cmdx_darwin_arm64.tar.gz
gh release download -R suzuki-shunsuke/cmdx "$version" -p "$asset"
gh attestation verify "$asset" \
-R suzuki-shunsuke/cmdx \
--signer-workflow suzuki-shunsuke/go-release-workflow/.github/workflows/release.yamlYou can install slsa-verifier by aqua.
aqua g -i slsa-framework/slsa-verifierversion=v1.7.5
asset=cmdx_darwin_arm64.tar.gz
gh release download -R suzuki-shunsuke/cmdx "$version" -p "$asset" -p multiple.intoto.jsonl
slsa-verifier verify-artifact "$asset" \
--provenance-path multiple.intoto.jsonl \
--source-uri github.com/suzuki-shunsuke/cmdx \
--source-tag "$version"You can install Cosign by aqua.
aqua g -i sigstore/cosignversion=v1.7.5
checksum_file="cmdx_${version#v}_checksums.txt"
asset=cmdx_darwin_arm64.tar.gz
gh release download "$version" \
-R suzuki-shunsuke/cmdx \
-p "$asset" \
-p "$checksum_file" \
-p "${checksum_file}.pem" \
-p "${checksum_file}.sig"
cosign verify-blob \
--signature "${checksum_file}.sig" \
--certificate "${checksum_file}.pem" \
--certificate-identity-regexp 'https://github\.com/suzuki-shunsuke/go-release-workflow/\.github/workflows/release\.yaml@.*' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
"$checksum_file"
cat "$checksum_file" | sha256sum -c --ignore-missing