We have multiple ways to install the CLI depending on your threat model.

Please check our work to whatever extent appropriate for your use case.

The Makefile assumes the presence of a few basic tools:

• make
• bash
• Docker

⚠️ Before you copy/paste, note that these are /low/ security options

If you are on an untrusted machine and are only evaluating our tools, we offer easy low security install paths common in the industry.

Do note that any time you run an unverified binary off the internet you are giving a third party full permission to execute any code they want on your system. Github accounts, CDNs, and package repository accounts get compromised all the time.

git clone https://github.com/thkq/tkcli
cd tkcli
# This installs in  ~/.local/bin; make sure this is in your $PATH!
make install

brew install tkhq/tap/turnkey

These steps will allow you to prove that at least two Turnkey engineers signed off on the produced binaries, signaling that they reproduced them from source code and got identical results, in addition to our usual two-party code review processes.

This minimizes a single point of trust (and failure) in our binary release process.

See the Reproducible Builds project for more information on these practices.

We use git for all development, releases, and signing. Unfortunately git has no native method for large file storage or multi-signature workflows so some git add-ons are required.

To follow these steps please install git-lfs and git-sig.

1. Clone repo

   git clone https://github.com/tkhq/tkcli
   cd tkcli

2. Review binary signatures

   git sig verify

   Note: See Trust section below for expected keys/signers

3. Install binary

   make install
   

If you intend to use the Turnkey CLI on a system you need to be able to trust or for a high risk use case, we strongly recommend taking the time to hold us accountable to the maximum degree you have resources and time for.

This protects not only you, but also protects our team. If many people are checking our work for tampering it removes the incentive for someone malicious to attempt to force one or more of us to tamper with the software.

1. Clone repo

   git clone https://github.com/tkhq/tkcli
   cd tkcli

2. Review source

   • Ideal: Review the entire supply chain is recommended for high risk uses
   • Minimal: review the "attest" "sign" and "verify" targets in the Makefile

3. Reproduce binaries

   make reproduce

   Note: See Trust section below for expected keys/signers

4. Install binaries

   make install

5. Upload signature

   While this step is totally optional, if you took the time to verify our binaries we would welcome you signing them and submitting your signature so we have public evidence third parties are checking our work.

   NOTE: this additionally uses Github's official CLI tool, gh.

   gh repo fork
   git add dist/*
   git commit -m "add signature"
   git sig add
   git push origin main
   gh pr create

Create a new API key:

$ turnkey generate api-key --organization $ORGANIZATION_ID
{
   "privateKeyFile": "/Users/andrew/Library/Application Support/turnkey/keys/default.private",
   "publicKey": "0236f17892a4649d97b2e4a4ad3c22d815e4e77848a0b8e4a5b0956ae4d6be382e",
   "publicKeyFile": "/Users/andrew/Library/Application Support/turnkey/keys/default.public"
}

Make an API request (using the default API key created above):

$ turnkey request --path /api/v1/sign --body '{"payload": "hello from TKHQ"}'
{
    "result": "I am a teapot"
}

If you need to sign a request with a different key, use the --key-name and/or --keys-folder flags:

$ turnkey request --path /api/v1/sign --body '{"payload": "hello from TKHQ"}' --keys-folder /path/to/keys --key-name another-key
{
    "result": "I am a teapot"
}

Create, but do not post a request:

$ turnkey request --no-post --path /api/v1/sign --body '{"payload": "hello from TKHQ"}'
{
    "curlCommand": "curl -X POST -d'{\"payload\": \"hello from TKHQ\"}' -H'X-Stamp: eyJwdWJsaWNLZXkiOiIwM2JmMTYyNTc2ZWI4ZGZlY2YzM2Q5Mjc1ZDA5NTk1Mjg0ZjZjNGRmMGRiNjE1NmMzYzU4Mjc3Nzg4NmEwZWUwYWMiLCJzaWduYXR1cmUiOiIzMDQ0MDIyMDZiMmRlYmIwYjA3YmYwMDJlMjI1ZmQ4NTgzZjZmNGUxNGE5YTUxYWRiYWJjNDAyYzY5YTZlN2Q4N2ViNWNjMDgwMjIwMjE0ZTdkMGJlODFjMGYyNDEyOWE0MmNkZGFlOTUxYTBmZTViMGM1Mzc3YjM2NzZiOTUyNDgyNmYwODdhMWU4ZiIsInNjaGVtZSI6IlNJR05BVFVSRV9TQ0hFTUVfVEtfQVBJX1AyNTYifQ' -v 'https://coordinator-beta.turnkey.io/api/v1/sign'",
    "message": "{\"payload\": \"hello from TKHQ\"}",
    "stamp": "eyJwdWJsaWNLZXkiOiIwM2JmMTYyNTc2ZWI4ZGZlY2YzM2Q5Mjc1ZDA5NTk1Mjg0ZjZjNGRmMGRiNjE1NmMzYzU4Mjc3Nzg4NmEwZWUwYWMiLCJzaWduYXR1cmUiOiIzMDQ0MDIyMDZiMmRlYmIwYjA3YmYwMDJlMjI1ZmQ4NTgzZjZmNGUxNGE5YTUxYWRiYWJjNDAyYzY5YTZlN2Q4N2ViNWNjMDgwMjIwMjE0ZTdkMGJlODFjMGYyNDEyOWE0MmNkZGFlOTUxYTBmZTViMGM1Mzc3YjM2NzZiOTUyNDgyNmYwODdhMWU4ZiIsInNjaGVtZSI6IlNJR05BVFVSRV9TQ0hFTUVfVEtfQVBJX1AyNTYifQ"
}

make

make out/turnkey.linux-amd64

The following will drop a binary in build/turnkey:

make build-local

Note that you may need to do the following:

• Install git-lfs: https://git-lfs.com
• Setup: git lfs install

To release a new version of the CLI:

Determine the next version:

git tag | sort -n | tail -n5

Export your new version:

export VERSION=vX.Y.Z

Build the release artifacts:

make VERSION=$VERSION dist

Cut a new release branch:

git checkout -b release-$VERSION

Open a pull request, and once you have enough approvals, tag the release:

git tag -sa $VERSION -m "New release: $VERSION"

Finally, update the download table above, with links pointing to the new binaries.

Once the pull request is merged, ask your reviewer(s) to attest with git sig:

make reproduce

# If the reproduce command succeeds:
git sig add

Once enough signatures have been collected, the following command should succeed:

git sig verify --threshold 2

Finally, post the new release on Github with a changelog and update the Homebrew tap.

You should never trust random binaries or code you find on the internet. Even if it is from a reputable git identity, developers are phished all the time.

Supply chain attacks are becoming increasingly common in our industry and it takes strong accountability to prevent them from happening.

The only way to be reasonably confident code was actually authored by the people we think it was, is if that software is cryptographically signed by a key only those individuals have access to.

Similarly if a company releases binaries, you have no idea if the machine that compiled it is compromised or not, and no idea if the code in that binary corresponds to the actual code in the repo that you or someone you trust authored or reviewed.

To address both problems we take the following steps:

1. All commits are signed with keys that only exist on hardware security modules held by each engineer
2. All binaries are signed by the engineer that compiled them
3. Attesting engineers compile and sign binaries if they get the same hashes

To learn who signed the current release run:

git sig verify --threshold 2

Commits will be signed by at least one of the keys under the signers section below.

Released binaries should be signed by at least two of them signifying successful reproducible builds.

We encourage you to review the below keyoxide links and any available web-of-trust for each key to ensure it is really owned by the person it claims to be owned by.