?

Picking an install method

Method When to use it Verifiable
Signed release archive Production, air-gapped, any regulated environment. Yes — cosign + SHA-256 checksums + SLSA-3 provenance.
go install Individual developers who trust the Go module proxy checksum database. Partial — go.sum pin via pkg.go.dev.
From source (make build) Contributors and reviewers who want to run the full CI gate locally. Yes — reproducible-build job in CI confirms bit-identical output.
Container image Deployments alongside other systemd services or in Kubernetes. Yes — image is built from the tagged source, provenance is attached.
Homebrew (planned) macOS convenience. Planned; not yet shipped.

Install by OS

Signed release (recommended). Works on Apple Silicon and Intel — swap arm64 for amd64 on Intel Macs.

VERSION=<pin-a-tag>
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_darwin_arm64.tar.gz"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt.sig"

cosign verify-blob \
  --certificate-identity-regexp 'sebastienrousseau/rousseau-agent' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --signature "rousseau_${VERSION}_checksums.txt.sig" \
  "rousseau_${VERSION}_checksums.txt"

shasum -a 256 -c "rousseau_${VERSION}_checksums.txt" --ignore-missing
tar -xzf "rousseau_${VERSION}_darwin_arm64.tar.gz"
sudo install -m 0755 rousseau /usr/local/bin/rousseau
rousseau version

go install. Fastest path if you already have Go 1.26+:

brew install go@1.26        # or from https://go.dev/dl
go install github.com/sebastienrousseau/rousseau-agent/cmd/rousseau@latest

The binary embeds modernc.org/sqlite (see internal/state/sqlite/store.go), so there is no libc or CGo dependency and no Xcode Command Line Tools requirement.

Homebrew. The Homebrew formula is on the roadmap. Until it ships, use the release-archive path above.

Verifying a signed release

The cosign verify-blob command performs three checks at once against Sigstore's public transparency log:

  1. The certificate embedded in the signature was issued to the GitHub Actions OIDC identity matching the regex.
  2. The signature over the checksum file is valid.
  3. The certificate was witnessed by the transparency log.

sha256sum -c then confirms every artefact in the checksum file matches. This is the load-bearing supply-chain check — do not skip it.

Verifying the SBOM

Every release ships rousseau_<version>_sbom.cdx.json (CycloneDX 1.5). Inspect with cyclonedx-cli:

cyclonedx-cli tree --input-file rousseau_<version>_sbom.cdx.json
cyclonedx-cli validate --input-file rousseau_<version>_sbom.cdx.json

Verifying SLSA-3 provenance

slsa-verifier verify-artifact \
  --provenance-path rousseau_<version>_provenance.intoto.jsonl \
  --source-uri github.com/sebastienrousseau/rousseau-agent \
  --source-tag <version> \
  rousseau_<version>_linux_amd64.tar.gz

Any deviation between the artefact and what CI attests to having built causes slsa-verifier to exit non-zero.

macOS

Signed release (recommended)

VERSION=<pin-a-tag>
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_darwin_arm64.tar.gz"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt.sig"

cosign verify-blob \
  --certificate-identity-regexp 'sebastienrousseau/rousseau-agent' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --signature "rousseau_${VERSION}_checksums.txt.sig" \
  "rousseau_${VERSION}_checksums.txt"

shasum -a 256 -c "rousseau_${VERSION}_checksums.txt" --ignore-missing
tar -xzf "rousseau_${VERSION}_darwin_arm64.tar.gz"
sudo install -m 0755 rousseau /usr/local/bin/rousseau
rousseau version

Replace arm64 with amd64 on Intel Macs.

Homebrew (planned)

The Homebrew formula is on the roadmap. Until it ships, the release-archive path above is the recommended macOS install.

Linux

Signed release (recommended)

VERSION=<pin-a-tag>
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_linux_amd64.tar.gz"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt.sig"

cosign verify-blob \
  --certificate-identity-regexp 'sebastienrousseau/rousseau-agent' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --signature "rousseau_${VERSION}_checksums.txt.sig" \
  "rousseau_${VERSION}_checksums.txt"

sha256sum -c "rousseau_${VERSION}_checksums.txt" --ignore-missing
tar -xzf "rousseau_${VERSION}_linux_amd64.tar.gz"
sudo install -m 0755 rousseau /usr/local/bin/rousseau
rousseau version

aarch64 builds are published under linux_arm64.

The certificate-identity regex pins the signer identity. Do not weaken it: any release archive signed by a different identity should be rejected outright.

Via go install

go install github.com/sebastienrousseau/rousseau-agent/cmd/rousseau@latest

The binary is fully static (CGO_ENABLED=0) and embeds modernc.org/sqlite, so no libc or CGo runtime dependency is introduced. go.sum pins are enforced by the Go module proxy checksum database.

Windows

Windows binaries are published in the same release archive layout:

$Version = "<pin-a-tag>"
Invoke-WebRequest -Uri "https://github.com/sebastienrousseau/rousseau-agent/releases/download/$Version/rousseau_${Version}_windows_amd64.zip" -OutFile "rousseau.zip"
Invoke-WebRequest -Uri "https://github.com/sebastienrousseau/rousseau-agent/releases/download/$Version/rousseau_${Version}_checksums.txt" -OutFile "checksums.txt"

# Verify SHA-256 (cosign verification is Linux/macOS-friendly; on Windows,
# checksum verification alone is usable but weaker than the full recipe).
Get-FileHash rousseau.zip -Algorithm SHA256
Expand-Archive rousseau.zip -DestinationPath .

Windows is a first-class build target but is under-tested — every chat transport works, but the reference deployment (Podman + Quadlet) assumes Linux. Report Windows-specific issues so they can be caught in CI.

From source

git clone https://github.com/sebastienrousseau/rousseau-agent
cd rousseau-agent
make build          # produces ./bin/rousseau
./bin/rousseau version

make check runs the exact CI gate: go vet, golangci-lint v2 (18 linters), go test -race -count=1 -covermode=atomic ./..., and govulncheck.

The dedicated reproducible-build CI job verifies bit-identical output from a fresh checkout on ubuntu-latest, so a local make build on the same Go toolchain will produce a binary whose SHA-256 matches the tagged release.

Podman / Docker

# Build locally from the tagged source.
podman build -t rousseau-agent:local -f docker/Dockerfile .

# Pull the pre-built image (once published).
podman pull ghcr.io/sebastienrousseau/rousseau-agent:<tag>

Docker works identically: swap podman for docker. The reference deployment (Deployment) uses rootless Podman with a systemd Quadlet unit because Quadlet provides declarative hardening (ReadOnly=true, DropCapability=all, NoNewPrivileges=true, seccomp filter, keep-id user-namespace mapping) that plain Docker does not.

The runtime image is ~550 MB, built as a multi-stage golang:1.26-alpine builder feeding a node:22-alpine runtime. The Node layer exists only so the optional claude CLI subprocess has a home; the daemon itself has no interpreter dependency.

Verifying a signed release

The cosign verify-blob command performs three checks at once against Sigstore's public transparency log:

  1. The certificate embedded in the signature was issued to the GitHub Actions OIDC identity matching the regex.
  2. The signature over the checksum file is valid.
  3. The certificate was witnessed by the transparency log.

sha256sum -c then confirms every artefact in the checksum file matches. This is the load-bearing supply-chain check — do not skip it.

Troubleshooting

go: module github.com/sebastienrousseau/rousseau-agent/cmd/rousseau: no matching versions

Your go toolchain is older than 1.26. go install refuses modules with a go directive above the toolchain version. Upgrade Go, or use the signed-release archive.

sha256sum: WARNING: X computed checksums did NOT match

The archive was corrupted mid-download, or (worse) tampered with. Re-download and re-run the recipe from the top — cosign verify-blob should have caught tampering, but always trust the SHA-256 outcome over any assumption.

cosign: no matching signatures

You have cosign but the --certificate-identity-regexp does not match the signer. For rousseau, use sebastienrousseau/rousseau-agent. If it still fails, run cosign initialize to refresh Sigstore's trust root — the root rotates on a slow cadence.

rousseau version prints dev / none / unknown

You installed via go install and the -ldflags version stamps in internal/cli/root.go were not populated. Cosmetic only, but the signed-release archive is the fix.

macOS Gatekeeper refuses to open the binary

Right-click the binary in Finder, choose Open, then Open again in the dialog. Alternatively xattr -d com.apple.quarantine ./rousseau removes the quarantine bit. The signed release is not notarised — cosign verification is the equivalent supply-chain check.

Related pages

Further reading

  • README.md — repository-level positioning and capability matrix.
  • SECURITY.md — vulnerability disclosure and supply-chain controls.
  • Makefile — the exact CI gate reproduced locally by make check.
  • docker/Dockerfile — multi-stage build (golang:1.26-alpinenode:22-alpine).

Type to search 150+ pages. Ranking: BM25 with title/description boost.