Skip to main content

Installation

This page installs both NebCore tools, NebCLI and NebGuard. Every path verifies the binaries' signatures before anything runs: the one-line installer and the package managers do it for you, and the manual recipe shows the same check done by hand.

Prerequisites

  • A supported platform (see Supported platforms below).
  • cosign 2.4 or newer. The installer and the manual recipe both use it to verify signatures; there is no unverified path.
  • curl and tar (already present on macOS and Linux). On Windows, use Scoop or the .zip archives.
  • A NebCore tenant slug if you plan to log in. You can install without one and run in the free tier.
caution

NebCore source code is private. Public users get binaries from the public mirrors and from get.nebcore.ai only. Do not try to download releases from the source repositories; they are not accessible.

Install each tool with a single command (macOS, Linux):

curl -fsSL https://get.nebcore.ai/install | bash -s -- nebcli
curl -fsSL https://get.nebcore.ai/install | bash -s -- nebguard

The installer detects your platform, downloads the right archive plus its signature bundle, verifies both the cosign signature and the Rekor transparency-log entry against the public key in nebinfra/trust, and only then installs the binary (to /usr/local/bin, or ~/.local/bin when not running as root). Useful flags:

# choose the install directory
curl -fsSL https://get.nebcore.ai/install | bash -s -- nebcli --prefix "$HOME/.local/bin"

# pin a specific release
curl -fsSL https://get.nebcore.ai/install | bash -s -- nebcli --version v6.10.2

After a successful install the script sends one anonymous tag (a hash of a machine-local random id plus the component, OS, architecture, and version; nothing identifying). Opt out with --no-telemetry, NEBCORE_NO_TELEMETRY=1, or the standard DO_NOT_TRACK=1.

To verify the installer script itself before piping it to a shell:

curl -fsSL https://get.nebcore.ai/install -o install
curl -fsSL https://get.nebcore.ai/install.sig -o install.sig
cosign verify-blob \
--key https://raw.githubusercontent.com/nebinfra/trust/main/cosign-keys/install-prod.pub \
--bundle install.sig --new-bundle-format install
bash install nebcli

Homebrew (macOS, Linux)

brew tap nebinfra/tap
brew trust nebinfra/tap # Homebrew 6.0.0+ requires trusting a third-party tap before installing from it
brew install nebcli nebguard

Scoop (Windows)

scoop bucket add nebinfra https://github.com/nebinfra/scoop-bucket
scoop install nebcli

NebGuard ships for macOS and Linux only; on Windows install NebCLI alone.

Verified manual install

The same download-and-verify the installer performs, done by hand. Pick your platform's ARCH value from the table below and the latest VERSION from the nebinfra/nebcli-dist releases page.

1. Install NebCLI

ARCH="linux_amd64" # see the supported-platforms table; macOS uses darwin_all
VERSION="v6.10.2" # latest from nebinfra/nebcli-dist/releases

# Download the archive and its cosign signature bundle
curl -fsSL -O "https://github.com/nebinfra/nebcli-dist/releases/download/${VERSION}/nebcli_${VERSION#v}_${ARCH}.tar.gz"
curl -fsSL -O "https://github.com/nebinfra/nebcli-dist/releases/download/${VERSION}/nebcli_${VERSION#v}_${ARCH}.tar.gz.bundle"

# Verify the signature and the Rekor transparency-log entry (required; there is no bypass)
cosign verify-blob \
--key https://raw.githubusercontent.com/nebinfra/trust/main/cosign-keys/nebcli-prod.pub \
--bundle "nebcli_${VERSION#v}_${ARCH}.tar.gz.bundle" \
--new-bundle-format \
"nebcli_${VERSION#v}_${ARCH}.tar.gz"

# Extract and install
tar -xzf "nebcli_${VERSION#v}_${ARCH}.tar.gz"
sudo install -m 0755 nebcli /usr/local/bin/nebcli

Expect cosign verify-blob to print Verified OK. If it prints anything else, stop: the archive or its signature has been altered, and you should not install it.

2. Install NebGuard

NebGuard is distributed the same way, from the nebinfra/nebguard-dist mirror, verified against cosign-keys/nebguard-prod.pub in nebinfra/trust.

ARCH="linux_amd64" # or linux_arm64 / darwin_all
VERSION="v5.16.0" # latest from nebinfra/nebguard-dist/releases

curl -fsSL -O "https://github.com/nebinfra/nebguard-dist/releases/download/${VERSION}/nebguard_${VERSION#v}_${ARCH}.tar.gz"
curl -fsSL -O "https://github.com/nebinfra/nebguard-dist/releases/download/${VERSION}/nebguard_${VERSION#v}_${ARCH}.tar.gz.bundle"

cosign verify-blob \
--key https://raw.githubusercontent.com/nebinfra/trust/main/cosign-keys/nebguard-prod.pub \
--bundle "nebguard_${VERSION#v}_${ARCH}.tar.gz.bundle" \
--new-bundle-format \
"nebguard_${VERSION#v}_${ARCH}.tar.gz"

tar -xzf "nebguard_${VERSION#v}_${ARCH}.tar.gz"
sudo install -m 0755 nebguard /usr/local/bin/nebguard

Expect Verified OK again before you install.

Supported platforms

macOS ships one universal archive that covers both Apple silicon and Intel.

OSArchitectureARCH valueArchiveTools
Linuxamd64linux_amd64.tar.gzNebCLI, NebGuard
Linuxarm64linux_arm64.tar.gzNebCLI, NebGuard
macOSuniversal (all)darwin_all.tar.gzNebCLI, NebGuard
Windowsamd64windows_amd64.zipNebCLI
Windowsarm64windows_arm64.zipNebCLI

Verify the install

Confirm each binary is on your PATH and reports its version:

nebcli version
nebguard version

Each prints its version and build information. If a command is not found, make sure the install directory (for example /usr/local/bin) is on your PATH.

Upgrade

nebcli update # downloads, verifies, and swaps the binary in place
nebcli update --check # only report whether a newer release exists

If you installed with Homebrew or Scoop, brew upgrade / scoop update work as well. NebGuard upgrades by re-running the install path you used.

Uninstall

sudo rm /usr/local/bin/nebcli
sudo rm /usr/local/bin/nebguard
rm -rf ~/.nebcore # config, tokens, and the license file (logs you out everywhere)
warning

Removing ~/.nebcore deletes the NebCLI license file that NebGuard reads. After this, NebGuard falls back to the free tier (rerun nebguard setup to sign up again) and NebCLI requires a fresh login.

Next steps