ToolFetch

ToolFetch is a CLI for fetching and installing external tools from release URLs (e.g. GitHub releases) using a YAML configuration file.

It is designed for:

• setting up new developer machines quickly and consistently
• reproducible tool installations

---

Given the following configuration file named toolfetch.yaml:

destination: /opt
tools:
  - id: dbeaver
    url: "https://dbeaver.io/files/dbeaver-ce-latest-linux.gtk.x86_64.tar.gz"

When you invoke the command: toolfetch --config "toolfetch.yaml", the latest version of the tool will be installed like this:

/opt
|-- dbeaver

---

You can use optional placeholder: ${version} in url which will be replaced with version value at runtime:

destination: "/opt"
tools:
  - id: kitty
    version: "0.44.0"
    url: "https://github.com/kovidgoyal/kitty/releases/download/v${version}/kitty-${version}-x86_64.txz"
  - id: firefox
    version: "146.0.1"
    url: "https://ftp.mozilla.org/pub/firefox/releases/${version}/linux-x86_64/en-US/firefox-${version}.tar.xz"

When you invoke the command again, tools will be installed like this:

/opt
|-- kitty
|-- firefox

---

You can add optional destination key for specific tool in order to install it somewhere else:

destination: "/opt"
tools:
  - id: kitty
    version: "0.44.0"
    url: "https://github.com/kovidgoyal/kitty/releases/download/v${version}/kitty-${version}-x86_64.txz"
    destination: "/opt/tools"
  - id: firefox
    version: "146.0.1"
    url: "https://ftp.mozilla.org/pub/firefox/releases/${version}/linux-x86_64/en-US/firefox-${version}.tar.xz"

Now, when you invoke the same command, tools will be installed like this:

/opt
|-- firefox
|-- tools
    |-- kitty

Archive and Compression Formats

Currently, the following Archive Formats are supported:

• 7z - planned, work in progress
• tar
• zip
• jar

and Compression Formats:

• brotli
• bzip2
• deflate
• gzip
• lz4
• lzma
• pack200 (for jars)
• snappy (excluding iwa)
• xz
• z
• zstandard
• concatenated streams for bzip2, gzip, xz and lz4

SBOM

All releases include a Software Bill of Materials (SBOM) describing the dependencies contained in the compiled binary.

An SBOM is provided in two forms:

• As a standalone SBOM file included in the release artifacts
• Embedded inside the binary

The distributed binaries are compressed with UPX, so they must be decompressed before scanning.

Install the required tools:

• UPX
• Syft

Follow these instructions to inspect the SBOM from the binary:

• Produce an uncompressed binary toolfetch-raw:

upx -d -o toolfetch-raw toolfetch

• Inspect the SBOM from the uncompressed binary:

syft toolfetch-raw

Provenance

Release artifacts include multiple provenance attestations that allow users to verify how the binaries were produced.

Two provenance mechanisms are provided:

• GitHub Artifact Attestation - proves that the artifact was produced by a workflow in this repository.
• SLSA Provenance - describes the build process and builder used to produce the artifact.

Both attestations can be verified independently.

GitHub Artifact Attestation

Release artifacts include a GitHub Artifact Attestation generated by GitHub Actions. This attestation confirms that the release artifact was built by a workflow in this repository using GitHub Actions.

Install the required tool:

• GitHub CLI

Follow these instructions to verify release artifacts using the provenance attestation:

• Log in to GitHub CLI:

$ gh auth login

• Verify the release artifact matches the provenance attestation:

$ gh attestation verify toolfetch-X.X.X-linux-amd64.tar.gz --repo jdheim/toolfetch
Loaded digest sha256:59b618ea70f37c90418c71002bf2a9de46649c42c30f5e35f68ffc01010ddb5f for file:///toolfetch-X.X.X-linux-amd64.tar.gz
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/jdheim
- Source Repository URI must match:......... https://github.com/jdheim/toolfetch
- Subject Alternative Name must match regex: (?i)^https://github.com/jdheim/toolfetch/
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... jdheim/toolfetch
  - Build workflow:. .github/workflows/release.yml@refs/heads/main
  - Signer repo:.... jdheim/toolfetch
  - Signer workflow: .github/workflows/call-attest-build-provenance.yml@refs/heads/main

SLSA Provenance

Release artifacts also include SLSA Provenance generated by the SLSA GitHub Generator. This provenance document describes the build process used to produce the release artifact, including the builder indentity, source repository, and workflow configuration.

Install the required tool:

• SLSA Verifier

Follow these instructions to verify release artifacts using the provenance attestation:

• Download provenance attestation: toolfetch-X.X.X-provenance.intoto.jsonl.
• Verify the release artifact matches the provenance attestation:

$ slsa-verifier verify-artifact toolfetch-X.X.X-linux-amd64.tar.gz \
    --provenance-path toolfetch-X.X.X-provenance.intoto.jsonl \
    --source-uri github.com/jdheim/toolfetch
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.1.0" at commit 9cbd8b60bb3f7532036661f881ddbb6099d49e11
Verifying artifact toolfetch-X.X.X-linux-amd64.tar.gz: PASSED

PASSED: SLSA verification passed

PGP Signatures

Release artifacts are signed with Pretty Good Privacy (PGP). Follow these instructions to verify release artifacts using their signatures:

• Download the public key. Save it as jdheim.asc:

$ wget https://raw.githubusercontent.com/p-marcin/p-marcin/main/gpg/jdheim.asc

• Verify the fingerprint matches the following:

$ gpg --show-keys jdheim.asc
pub   rsa4096 2026-03-01 [SC]
      FFBE9F2EC1AF21943BBE06A35E0566252E0EC8A1
uid                      Marcin P. (jdheim) <114195537+p-marcin@users.noreply.github.com>
sub   rsa4096 2026-03-01 [E]

• Import the key with gpg --import jdheim.asc
• Download signature: toolfetch-X.X.X-linux-amd64.tar.gz.asc.
• Verify the release artifact with its signature:

$ gpg toolfetch-X.X.X-linux-amd64.tar.gz.asc
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: assuming signed data in 'toolfetch-X.X.X-linux-amd64.tar.gz'
gpg: Signature made Sun Mar  1 18:55:02 2026 CET
gpg:                using RSA key 5E0566252E0EC8A1
gpg: Good signature from "Marcin P. (jdheim) <114195537+p-marcin@users.noreply.github.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Checksums

Release artifacts also include SHA-256 checksum files that can be used to verify the integrity of downloaded artifacts.

Follow these instructions to verify release artifacts using their checksums:

• Download the checksum file: toolfetch-X.X.X-linux-amd64.tar.gz.sha256 or checksums_sha256.txt
• Verify the release artifact with its checksum:

$ echo "$(<toolfetch-X.X.X-linux-amd64.tar.gz.sha256)  toolfetch-X.X.X-linux-amd64.tar.gz" | sha256sum -c
toolfetch-X.X.X-linux-amd64.tar.gz: OK

$ sha256sum --ignore-missing -c checksums_sha256.txt 
toolfetch-X.X.X-linux-amd64.tar.gz: OK

💖 Support

Hey there! If you enjoy my work and would like to support me, consider buying me a coffee! 🙂 Your contributions help me keep creating, and I truly appreciate every bit of support you offer.

Also, please consider giving this project a ⭐ on GitHub. This kind of support helps promote the project and lets others know that it's worth checking out.

Thank you for being amazing!

©️ License

Copyright 2026 JDHeim.com

This project is licensed under the Apache License, Version 2.0. See the LICENSE file for full license terms.