Installing Salt CLI
For generating attestations in CI/CD pipelines, you may run download and run the Salt CLI.
Xygeni offers custom tasks that simplify installation on certain CI/CD platforms. For Azure DevOps, you can use Xygeni Build Attestation to generate SLSA provenance attestations and Xygeni Attestation Verifier to verify software attestations.
Installing Salt CLI
The Salt CLI is distributed as a zipfile that runs under Linux, macOS and Windows. The installation process downloads the zipfile, unzips the downloaded file, and adds a shortcut for running salt in the target platform.
In brief: Assuming that you want to place the Salt CLI in a given <TARGET_DIR>
directory:
For macOS/Linux (bash):
# download zipfile
curl -sLO https://get.xygeni.io/latest/salt/salt.zip
# verify integrity
SALT_CHECKSUM=$(curl -s https://raw.githubusercontent.com/xygeni/xygeni/main/checksum/latest/salt.zip.sha256)
echo "$SALT_CHECKSUM salt.zip" | sha256sum --check
# unzip
unzip salt.zip -d <TARGET_DIR>
# add alias
alias salt=<TARGET_DIR>/xygeni_salt/salt
salt --help
For Windows (PowerShell):
# download zipfile
iwr https://get.xygeni.io/latest/salt/salt.zip -useb -OutFile salt.zip
# verify integrity
set salt_digest (iwr https://raw.githubusercontent.com/xygeni/xygeni/main/checksum/latest/salt.zip.sha256).Content
(Get-FileHash '.\salt.zip' -Algorithm SHA256).Hash -eq $salt_digest
# unzip
Expand-Archive '.\salt.zip' -DestionationPath '<TARGET_DIR>'
# Or, alternatively, for older PowerShell versions:
# [System.IO.Compression.ZipFile]::ExtractToDirectory('.\salt.zip', '<TARGET_DIR>')
# add alias
Set-Alias -Name salt -Value <PATH_TO_SALT>\salt.ps1
salt --help
The following sections describe in more detail each step.
Download Salt CLI
Run the one of the following which better matches your preferences:
For mac/Linux (bash):
curl -sLO https://get.xygeni.io/latest/salt/salt.zip
On Windows (PowerShell):
iwr https://get.xygeni.io/latest/salt/salt.zip -useb -OutFile salt.zip
Verify the Integrity
Xygeni publishes a SHA-256 checksum of published components in the xygeni/xygeni GitHub repository, so you may verify the integrity of a downloaded artifact.
To ensure that the downloaded installation script checksum matches the checksum published in Xygeni repository, meaning that probably it was not tampered with:
On mac/Linux (bash):
echo "$(curl -s https://raw.githubusercontent.com/xygeni/xygeni/main/checksum/latest/salt.zip.sha256) salt.zip" | sha256sum --check
If under macOS, as sha256sum
is probably not installed in your host, you may:
(1) read this to install it,
(2) or use shasum -a 256
instead or sha256sum
if the shasum
command is installed,
echo "$(curl -s https://raw.githubusercontent.com/xygeni/xygeni/main/checksum/latest/salt.zip.sha256) salt.zip" | sha256 -a 256 --check
On Windows (PowerShell):
(Get-FileHash '.\salt.zip' -Algorithm SHA256).Hash -eq `
(iwr https://raw.githubusercontent.com/xygeni/xygeni/main/checksum/latest/salt.zip.sha256)
Unzip the CLI
TARGET_DIR
is the path where the zipfile contents will be extracted. Replace it with your
For mac/Linux (bash):
unzip salt.zip -d <TARGET_DIR>
On Windows (PowerShell):
Expand-Archive '.\salt.zip' -DestionationPath '<TARGET_DIR>'
# Or, alternatively, for older PowerShell versions:
# [System.IO.Compression.ZipFile]::ExtractToDirectory('.\salt.zip', '<TARGET_DIR>')
In what follows, the location of the Salt CLI is TARGET_DIR/xygeni_salt
Set Alias for Salt
The Salt CLI command is either a bash salt
or PowerShell salt.ps1
script under TARGET_DIR/xygeni_salt
. It is convenient to use an alias for running the command without providing its full path. You may add TARGET_DIR/xygeni_salt
to the PATH, or alternatively add an alias or shell function:
For mac/Linux (bash):
alias salt=<TARGET_DIR>/xygeni_salt/salt
On Windows (PowerShell):
Set-Alias -Name salt -Value <PATH_TO_SALT>\salt.ps1
The salt CLI is now available for running using salt
alias. Run salt --help
to show the help for the different commands available.
Execute Salt
Once installed, you can execute salt.
Please note that you need to provide a Xygeni Token to salt to make it work.
Last updated