Picking an install method
| Method | When to use it | Verifiable |
|---|---|---|
| Signed release archive | Production, air-gapped, any regulated environment. | Yes — cosign + SHA-256 checksums + SLSA-3 provenance. |
go install |
Individual developers who trust the Go module proxy checksum database. | Partial — go.sum pin via pkg.go.dev. |
From source (make build) |
Contributors and reviewers who want to run the full CI gate locally. | Yes — reproducible-build job in CI confirms bit-identical output. |
| Container image | Deployments alongside other systemd services or in Kubernetes. | Yes — image is built from the tagged source, provenance is attached. |
| Homebrew (planned) | macOS convenience. | Planned; not yet shipped. |
Install by OS
Signed release (recommended). Works on Apple Silicon and Intel — swap arm64 for amd64 on Intel Macs.
VERSION=<pin-a-tag>
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_darwin_arm64.tar.gz"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt.sig"
cosign verify-blob \
--certificate-identity-regexp 'sebastienrousseau/rousseau-agent' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--signature "rousseau_${VERSION}_checksums.txt.sig" \
"rousseau_${VERSION}_checksums.txt"
shasum -a 256 -c "rousseau_${VERSION}_checksums.txt" --ignore-missing
tar -xzf "rousseau_${VERSION}_darwin_arm64.tar.gz"
sudo install -m 0755 rousseau /usr/local/bin/rousseau
rousseau version
go install. Fastest path if you already have Go 1.26+:
brew install go@1.26 # or from https://go.dev/dl
go install github.com/sebastienrousseau/rousseau-agent/cmd/rousseau@latest
The binary embeds modernc.org/sqlite (see internal/state/sqlite/store.go), so there is no libc or CGo dependency and no Xcode Command Line Tools requirement.
Homebrew. The Homebrew formula is on the roadmap. Until it ships, use the release-archive path above.
Signed release (recommended). aarch64 builds are published under linux_arm64:
VERSION=<pin-a-tag>
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_linux_amd64.tar.gz"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt.sig"
cosign verify-blob \
--certificate-identity-regexp 'sebastienrousseau/rousseau-agent' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--signature "rousseau_${VERSION}_checksums.txt.sig" \
"rousseau_${VERSION}_checksums.txt"
sha256sum -c "rousseau_${VERSION}_checksums.txt" --ignore-missing
tar -xzf "rousseau_${VERSION}_linux_amd64.tar.gz"
sudo install -m 0755 rousseau /usr/local/bin/rousseau
rousseau version
Distro packages. No first-party packages yet — track the release archives above.
Rootless Podman (production). See Deployment for the Quadlet reference. pasta networking requires Podman 5.x+; Debian 12 and Ubuntu 22.04 ship 4.x and need a slirp4netns fallback (roadmap).
Rousseau is a first-class Windows build target; every transport works on Windows except signal (requires the signal-cli JVM subprocess) and imessage (requires macOS). The reference Podman + Quadlet deployment is Linux-only — use WSL 2 or a Linux VM for the container path.
Signed release. PowerShell:
$Version = "<pin-a-tag>"
Invoke-WebRequest -Uri "https://github.com/sebastienrousseau/rousseau-agent/releases/download/$Version/rousseau_${Version}_windows_amd64.zip" -OutFile "rousseau.zip"
Invoke-WebRequest -Uri "https://github.com/sebastienrousseau/rousseau-agent/releases/download/$Version/rousseau_${Version}_checksums.txt" -OutFile "checksums.txt"
Get-FileHash rousseau.zip -Algorithm SHA256
Expand-Archive rousseau.zip -DestinationPath .
Compare Get-FileHash output against checksums.txt by eye, or pipe through PowerShell to script the check.
go install. Works out of the box on Windows once Go is on the PATH:
winget install GoLang.Go
go install github.com/sebastienrousseau/rousseau-agent/cmd/rousseau@latest
Verifying a signed release
The cosign verify-blob command performs three checks at once against Sigstore's public transparency log:
- The certificate embedded in the signature was issued to the GitHub Actions OIDC identity matching the regex.
- The signature over the checksum file is valid.
- The certificate was witnessed by the transparency log.
sha256sum -c then confirms every artefact in the checksum file matches. This is the load-bearing supply-chain check — do not skip it.
Verifying the SBOM
Every release ships rousseau_<version>_sbom.cdx.json (CycloneDX 1.5). Inspect with cyclonedx-cli:
cyclonedx-cli tree --input-file rousseau_<version>_sbom.cdx.json
cyclonedx-cli validate --input-file rousseau_<version>_sbom.cdx.json
Verifying SLSA-3 provenance
slsa-verifier verify-artifact \
--provenance-path rousseau_<version>_provenance.intoto.jsonl \
--source-uri github.com/sebastienrousseau/rousseau-agent \
--source-tag <version> \
rousseau_<version>_linux_amd64.tar.gz
Any deviation between the artefact and what CI attests to having built causes slsa-verifier to exit non-zero.
macOS
Signed release (recommended)
VERSION=<pin-a-tag>
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_darwin_arm64.tar.gz"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt.sig"
cosign verify-blob \
--certificate-identity-regexp 'sebastienrousseau/rousseau-agent' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--signature "rousseau_${VERSION}_checksums.txt.sig" \
"rousseau_${VERSION}_checksums.txt"
shasum -a 256 -c "rousseau_${VERSION}_checksums.txt" --ignore-missing
tar -xzf "rousseau_${VERSION}_darwin_arm64.tar.gz"
sudo install -m 0755 rousseau /usr/local/bin/rousseau
rousseau version
Replace arm64 with amd64 on Intel Macs.
Homebrew (planned)
The Homebrew formula is on the roadmap. Until it ships, the release-archive path above is the recommended macOS install.
Linux
Signed release (recommended)
VERSION=<pin-a-tag>
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_linux_amd64.tar.gz"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt"
curl -fsSLO "https://github.com/sebastienrousseau/rousseau-agent/releases/download/${VERSION}/rousseau_${VERSION}_checksums.txt.sig"
cosign verify-blob \
--certificate-identity-regexp 'sebastienrousseau/rousseau-agent' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--signature "rousseau_${VERSION}_checksums.txt.sig" \
"rousseau_${VERSION}_checksums.txt"
sha256sum -c "rousseau_${VERSION}_checksums.txt" --ignore-missing
tar -xzf "rousseau_${VERSION}_linux_amd64.tar.gz"
sudo install -m 0755 rousseau /usr/local/bin/rousseau
rousseau version
aarch64 builds are published under linux_arm64.
The certificate-identity regex pins the signer identity. Do not weaken it: any release archive signed by a different identity should be rejected outright.
Via go install
go install github.com/sebastienrousseau/rousseau-agent/cmd/rousseau@latest
The binary is fully static (CGO_ENABLED=0) and embeds modernc.org/sqlite, so no libc or CGo runtime dependency is introduced. go.sum pins are enforced by the Go module proxy checksum database.
Windows
Windows binaries are published in the same release archive layout:
$Version = "<pin-a-tag>"
Invoke-WebRequest -Uri "https://github.com/sebastienrousseau/rousseau-agent/releases/download/$Version/rousseau_${Version}_windows_amd64.zip" -OutFile "rousseau.zip"
Invoke-WebRequest -Uri "https://github.com/sebastienrousseau/rousseau-agent/releases/download/$Version/rousseau_${Version}_checksums.txt" -OutFile "checksums.txt"
# Verify SHA-256 (cosign verification is Linux/macOS-friendly; on Windows,
# checksum verification alone is usable but weaker than the full recipe).
Get-FileHash rousseau.zip -Algorithm SHA256
Expand-Archive rousseau.zip -DestinationPath .
Windows is a first-class build target but is under-tested — every chat transport works, but the reference deployment (Podman + Quadlet) assumes Linux. Report Windows-specific issues so they can be caught in CI.
From source
git clone https://github.com/sebastienrousseau/rousseau-agent
cd rousseau-agent
make build # produces ./bin/rousseau
./bin/rousseau version
make check runs the exact CI gate: go vet, golangci-lint v2 (18 linters), go test -race -count=1 -covermode=atomic ./..., and govulncheck.
The dedicated reproducible-build CI job verifies bit-identical output from a fresh checkout on ubuntu-latest, so a local make build on the same Go toolchain will produce a binary whose SHA-256 matches the tagged release.
Podman / Docker
# Build locally from the tagged source.
podman build -t rousseau-agent:local -f docker/Dockerfile .
# Pull the pre-built image (once published).
podman pull ghcr.io/sebastienrousseau/rousseau-agent:<tag>
Docker works identically: swap podman for docker. The reference deployment (Deployment) uses rootless Podman with a systemd Quadlet unit because Quadlet provides declarative hardening (ReadOnly=true, DropCapability=all, NoNewPrivileges=true, seccomp filter, keep-id user-namespace mapping) that plain Docker does not.
The runtime image is ~550 MB, built as a multi-stage golang:1.26-alpine builder feeding a node:22-alpine runtime. The Node layer exists only so the optional claude CLI subprocess has a home; the daemon itself has no interpreter dependency.
Verifying a signed release
The cosign verify-blob command performs three checks at once against Sigstore's public transparency log:
- The certificate embedded in the signature was issued to the GitHub Actions OIDC identity matching the regex.
- The signature over the checksum file is valid.
- The certificate was witnessed by the transparency log.
sha256sum -c then confirms every artefact in the checksum file matches. This is the load-bearing supply-chain check — do not skip it.
Troubleshooting
go: module github.com/sebastienrousseau/rousseau-agent/cmd/rousseau: no matching versions
Your go toolchain is older than 1.26. go install refuses modules with a go directive above the toolchain version. Upgrade Go, or use the signed-release archive.
sha256sum: WARNING: X computed checksums did NOT match
The archive was corrupted mid-download, or (worse) tampered with. Re-download and re-run the recipe from the top — cosign verify-blob should have caught tampering, but always trust the SHA-256 outcome over any assumption.
cosign: no matching signatures
You have cosign but the --certificate-identity-regexp does not match the signer. For rousseau, use sebastienrousseau/rousseau-agent. If it still fails, run cosign initialize to refresh Sigstore's trust root — the root rotates on a slow cadence.
rousseau version prints dev / none / unknown
You installed via go install and the -ldflags version stamps in internal/cli/root.go were not populated. Cosmetic only, but the signed-release archive is the fix.
macOS Gatekeeper refuses to open the binary
Right-click the binary in Finder, choose Open, then Open again in the dialog. Alternatively xattr -d com.apple.quarantine ./rousseau removes the quarantine bit. The signed release is not notarised — cosign verification is the equivalent supply-chain check.
Related pages
- Getting Started: Platform Support — OS, architecture, and provider auth matrix.
- Getting Started: First Transport — wire WhatsApp end-to-end.
- Getting Started: Updating — how to move between versions safely.
- Deployment — the rootless Podman + Quadlet reference deployment.
- Security — trust boundaries and supply-chain hardening.
Further reading
README.md— repository-level positioning and capability matrix.SECURITY.md— vulnerability disclosure and supply-chain controls.Makefile— the exact CI gate reproduced locally bymake check.docker/Dockerfile— multi-stage build (golang:1.26-alpine→node:22-alpine).