Binstall provides a low-complexity mechanism for installing Rust binaries as an alternative to building from source (via cargo install
) or manually downloading packages.
This is intended to work with existing CI artifacts and infrastructure, and with minimal overhead for package maintainers.
Binstall works by fetching the crate information from crates.io
and searching the linked repository
for matching releases and artifacts, falling back to the quickinstall third-party artifact host, to alternate targets as supported, and finally to cargo install
as a last resort.
You may want to see this page as it was when the latest version was published.
$ cargo binstall radio-sx128x@0.14.1-alpha.5
INFO resolve: Resolving package: 'radio-sx128x@=0.14.1-alpha.5'
WARN The package radio-sx128x v0.14.1-alpha.5 (x86_64-unknown-linux-gnu) has been downloaded from github.com
INFO This will install the following binaries:
INFO - sx128x-util (sx128x-util-x86_64-unknown-linux-gnu -> /home/.cargo/bin/sx128x-util)
Do you wish to continue? yes/[no]
? yes
INFO Installing binaries...
INFO Done in 2.838798298s
Binstall aims to be a drop-in replacement for cargo install
in many cases, and supports similar options.
For unattended use (e.g. in CI), use the --no-confirm
flag.
For additional options please see cargo binstall --help
.
To upgrade cargo-binstall, use cargo binstall cargo-binstall
!
Here are one-liners for downloading and installing a pre-compiled cargo-binstall
binary.
curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
Set-ExecutionPolicy Unrestricted -Scope Process; iex (iwr "https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.ps1").Content
Download the relevant package for your system below, unpack it, and move the cargo-binstall
executable into $HOME/.cargo/bin
:
With a recent Rust installed:
cargo install cargo-binstall
We provide a first-party, minimal action that installs the latest version of Binstall:
- uses: cargo-bins/cargo-binstall@main
For more features, we recommend the excellent taiki-e/install-action, which has dedicated support for selected tools and uses Binstall for everything else.
These are useful third-party tools which work well with Binstall.
While you can upgrade crates explicitly by running cargo binstall
again, cargo-update
takes care of updating all tools as needed.
It automatically uses Binstall to install the updates if it is present.
Binstall and cargo install
both install tools globally by default, which is fine for system-wide tools.
When installing tooling for a project, however, you may prefer to both scope the tools to that project and control their versions in code.
That's where cargo-run-bin
comes in, with a dedicated section in your Cargo.toml and a short cargo subcommand.
When Binstall is available, it installs from binary whenever possible... and you can even manage Binstall itself with cargo-run-bin
!
Binstall is generally smart enough to auto-detect artifacts in most situations.
However, if a package fails to install, you can manually specify the pkg-url
, bin-dir
, and pkg-fmt
as needed at the command line, with values as documented in SUPPORT.md.
$ cargo-binstall \
--pkg-url="{ repo }/releases/download/{ version }/{ name }-{ version }-{ target }.{ archive-format }" \
--pkg-fmt="txz" \
crate_name
Maintainers wanting to make their users' life easier can add explicit Binstall metadata to Cargo.toml
to locate the appropriate binary package for a given version and target.
We have initial, limited support for maintainers to specify a signing public key and where to find package signatures. With this enabled, Binstall will download and verify signatures for that package.
You can use --only-signed
to refuse to install packages if they're not signed.
If you like to live dangerously (please don't use this outside testing), you can use --skip-signatures
to disable checking or even downloading signatures at all.
Because wget
-ing releases is frustrating, cargo install
takes a not inconsequential portion of forever on constrained devices, and often putting together actual packages is overkill.
Crates already have these, and they already contain a significant portion of the required information.
Also, there's this great and woefully underused (IMO) [package.metadata]
field.
Yes and also no?
We have initial support for verifying signatures, but not a lot of the ecosystem produces signatures at the moment. See #1 to discuss more on this.
We always pull the metadata from crates.io over HTTPS, and verify the checksum of the crate tar. We also enforce using HTTPS with TLS >= 1.2 for the actual download of the package files.
Compared to something like a curl ... | sh
script, we're not running arbitrary code, but of course the crate you're downloading a package for might itself be malicious!
You can find a full description of errors including exit codes here: https://docs.rs/binstalk/latest/binstalk/errors/enum.BinstallError.html
Yes!
Extra pre-built packages with a .full
suffix are available and contain split debuginfo, documentation files, and extra binaries like the detect-wasi
utility.
If you have ideas/contributions or anything is not working the way you expect (in which case, please include an output with --log-level debug
) and feel free to open an issue or PR.