Skip to main content

Installing OpenTofu from GitHub Releases

Using the installer script

Code Block
# Download the installer script:
curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh
# Alternatively: wget --secure-protocol=TLSv1_2 --https-only https://get.opentofu.org/install-opentofu.sh -O install-opentofu.sh

# Grant execution permissions:
chmod +x install-opentofu.sh

# Please inspect the downloaded script at this point.

# Run the installer:
./install-opentofu.sh --install-method standalone

# Remove the installer:
rm -f install-opentofu.sh

Using OpenTofu as a standalone binary

You can run OpenTofu without installation as a standalone binary. You can download the latest release for your operating system from the GitHub releases page, unpack the zip and start using it. For easier updates, we recommend using the non-portable packaged versions for your operating system.

Community-supported Architectures

Download the latest binary for ppc64le here. Contact the ppc64le maintainer for issues related to this binary.

Verify the file integrity

Please download the tofu_YOURVERSION_SHA256SUMS file from the release. This file contains the SHA256 checksums for all files. You can verify the integrity of your file by running:

Code Block
ZIPFILE=tofu_*.zip
CHECKSUM=$(sha256sum "${ZIPFILE}" | cut -f 1 -d ' ')
EXPECTED_CHECKSUM=$(grep "${ZIPFILE}" tofu_*_SHA256SUMS | cut -f 1 -d ' ')
if [ "${CHECKSUM}" = "${EXPECTED_CHECKSUM}" ]; then
echo "OK"
else
echo "MISMATCH"
fi

Verifying the binaries with Cosign

After you have verified the checksums, you can verify the integrity of the checksum file itself with Cosign. Please make sure you have installed Cosign and download the tofu_YOURVERSION_SHA256SUMS.pem and tofu_YOURVERSION_SHA256SUMS.sig files for your release. You can then run the integrity verification:

Code Block
OPENTOFU_VERSION_MAJORMINOR="Add your OpenTofu major and minor version here"
IDENTITY="https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/v${OPENTOFU_VERSION_MAJORMINOR}"
# For alpha and beta builds use /main
cosign \
verify-blob \
--certificate-identity "${IDENTITY}" \
--signature "tofu_*.sig" \
--certificate "tofu_*.pem" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
"tofu_*_SHA256SUMS"