The dynamic binary requires glibc 2.38+ — built on
ubuntu-latest (2.39+), it refuses to load on Debian 12
(glibc 2.36), older Ubuntu, RHEL 8/9, etc. Hard portability
ceiling for the one-liner installer.
The musl-static binary (built on Alpine, attached as
skeletonkey-x86_64-static) runs on every libc — verified
Alpine → Debian/Ubuntu/Fedora/RHEL cross-distro. Costs ~800 KB
extra (1.2 MB vs 390 KB) but eliminates the libc-version
problem entirely.
Default: install.sh now fetches the -static asset for x86_64.
Override: SKELETONKEY_DYNAMIC=1 curl … | sh fetches the smaller
dynamic binary (for hosts that have modern glibc and want the
smaller download).
arm64: no static variant attached yet (cross-compiling musl
for aarch64 needs a separate toolchain); install.sh still
fetches the dynamic arm64 binary, which works on most modern
arm64 distros (raspberry-pi / aws graviton / etc.).
The README documents the one-liner as 'curl ... install.sh | sh',
but on Debian/Ubuntu /bin/sh is dash which rejects 'set -o pipefail'
unknown option. The shebang #!/usr/bin/env bash is honored only
when the script is invoked directly — when piped via 'curl | sh'
the running shell IS dash.
Fix: split the strict-mode setup. 'set -eu' is POSIX-portable
(every shell). 'pipefail' is then enabled conditionally only on
shells that recognise it. Every curl/tar/install step in the rest
of the script checks its own exit code, so losing pipefail in dash
costs no behaviour — the installer still fails fast on any error.
For 'people should say just use iamroot' framing, the install gate is
the single biggest discoverability bottleneck. This commit makes it:
curl -sSL https://github.com/KaraZajac/IAMROOT/releases/latest/download/install.sh | sh
.github/workflows/release.yml:
- Triggers on semver tag push (v*.*.*) + manual dispatch.
- Matrix build for x86_64 (gcc) and arm64 (aarch64-linux-gnu-gcc cross).
- Per-arch sha256sum alongside the binary.
- Auto-generates release notes pointing at CVES.md / ROADMAP.md and
including the install one-liner with the version-specific URL.
- Publishes via softprops/action-gh-release@v2.
install.sh (also uploaded as a release artifact, so the curl|sh
above is stable):
- Detects arch (x86_64 / aarch64 → arm64).
- Pulls iamroot-<arch> + iamroot-<arch>.sha256 from the requested
version (default: latest).
- Verifies sha256 via sha256sum or shasum -a 256.
- Installs to /usr/local/bin/iamroot (or $IAMROOT_PREFIX). Uses sudo
iff /usr/local/bin isn't already writable.
- Prints quickstart hints + ethics pointer at the end.
- Env knobs: IAMROOT_VERSION, IAMROOT_PREFIX, IAMROOT_REPO.
README.md gains a 'Quickstart' section at the top with the four
canonical commands: install, --scan, --audit, --detect-rules,
fleet-scan. Lands the 'curl|bash and go' UX as the first thing
visitors see.
leviathan