Guide
Verify Before You Install
Any tool that runs as root deserves scrutiny. Use this guide to slow down, inspect the install path, and avoid treating a convenient command as proof of trust.
Read Before Running
A shell installer should be readable. Before piping anything to a shell, fetch it, open it, and confirm what it downloads, writes, enables, and reports.
curl -fsSL https://vexyl.dev/install.sh -o install.sh
less install.sh
sh -n install.sh
Check Source And Release Artifacts
- Find the public source repository and compare it with the release artifact.
- Review recent release notes and open issues before installing.
- Confirm checksums are published from the expected domain.
- Confirm signatures or package metadata exist for normal package flows.
Verify Vexyl Guard Artifacts
Vexyl Guard publishes checksum manifests and signed package repository metadata so operators can verify the release path instead of relying on a single install command.
curl -fsS https://vexyl.dev/downloads/SHA256SUMS -o SHA256SUMS
curl -fsS https://vexyl.dev/downloads/SHA256SUMS.sig -o SHA256SUMS.sig
curl -fsS https://vexyl.dev/downloads/release-signing-public.pem -o release-signing-public.pem
openssl dgst -sha256 -verify release-signing-public.pem -signature SHA256SUMS.sig SHA256SUMS
Prefer Package Repositories For Routine Hosts
Direct installers are useful for preview testing. For normal server workflows, signed APT and DNF repositories are easier to track, update, and audit.
Ask The Boring Questions
- What user or service account does it run as?
- What files does it write?
- What service does it enable?
- What network calls does it make during install?
- How do you stop, disable, or remove it?
- Does it start in monitor mode or change host policy immediately?
Next Step
If the verification path looks reasonable, test on a non-critical host first and keep monitor mode enabled until you understand the output.