Installing OpenTofu from GitHub Releases
Using the installer script
- Linux/MacOS/Unix (POSIX)
- Windows (PowerShell)
# Download the installer script:
curl --proto '=https' --tlsv1.2 -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh
# Alternatively: wget --secure-protocol=TLSv1_2 --https-only https://get.opentofu.org/install-opentofu.sh -O install-opentofu.sh
# Grand execution permissions:
chmod +x install-opentofu.sh
# Please inspect the downloaded script at this point.
# Run the installer:
./install-opentofu.sh --install-method standalone
# Remove the installer:
rm install-opentofu.sh
# Download the installer script:
Invoke-WebRequest -outfile "install-opentofu.ps1" -uri "https://get.opentofu.org/install-opentofu.ps1"
# Please inspect the downloaded script at this point.
# Run the installer:
& .\install-opentofu.ps1 -installMethod standalone
# Remove the installer:
Remove-Item install-opentofu.ps1
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process before running the installer.Using OpenTofu as a standalone binary
You can run OpenTofu without installation as a standalone binary. You can download the latest release for your operating system from the GitHub releases page, unpack the zip and start using it. For easier updates, we recommend using the non-portable packaged versions for your operating system.
Verify the file integrity
Please download the tofu_YOURVERSION_SHA256SUMS file from the release. This file contains the SHA256 checksums for all files. You can verify the integrity of your file by running:
- Linux (sha256sum)
- MacOS (shasum)
- Windows (PowerShell)
ZIPFILE=tofu_*.zip
CHECKSUM=$(sha256sum "${ZIPFILE}" | cut -f 1 -d ' ')
EXPECTED_CHECKSUM=$(grep "${ZIPFILE}" tofu_*_SHA256SUMS | cut -f 1 -d ' ')
if [ "${CHECKSUM}" = "${EXPECTED_CHECKSUM}" ]; then
echo "OK"
else
echo "MISMATCH"
fi
ZIPFILE=tofu_*.zip
CHECKSUM=$(shasum -a 256 "tofu_*.zip" | cut -f 1 -d ' ')
EXPECTED_CHECKSUM=$(grep "${ZIPFILE}" tofu_*_SHA256SUMS | cut -f 1 -d ' ')
if [ "${CHECKSUM}" = "${EXPECTED_CHECKSUM}" ]; then
echo "OK"
else
echo "MISMATCH"
fi
$zipFile="tofu_YOURVERSION_REPLACEME.zip"
$checksum = $(Get-FileHash -Algorithm SHA256 $zipFile).Hash
$expectedChecksum = $((Get-Content "tofu_YOURVERSION_REPLACEME_SHA256SUMS" | Select-String -Pattern $zipFile) -split '\s+')[0]
if ($realHash -ne $expectedHash) {
Write-Error "Checksum mismatch"
}
Verifying the binaries with Cosign
After you have verified the checksums, you can verify the integrity of the checksum file itself with Cosign. Please make sure you have installed Cosign and download the tofu_YOURVERSION_SHA256SUMS.pem and tofu_YOURVERSION_SHA256SUMS.sig files for your release. You can then run the integrity verification:
- Linux/MacOS/UNIX (POSIX)
- Windows (PowerShell)
OPENTOFU_VERSION_MAJORMINOR="Add your OpenTofu major and minor version here"
IDENTITY="https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/v${OPENTOFU_VERSION_MAJORMINOR}"
# For alpha and beta builds use /main
cosign \
verify-blob \
--certificate-identity "${IDENTITY}" \
--signature "tofu_*.sig" \
--certificate "tofu_*.pem" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
"tofu_*_SHA256SUMS"
$version = [version]"YOUR_OPENTOFU_VERSION"
$identity = "https://github.com/opentofu/opentofu/.github/workflows/release.yml@refs/heads/v${version.Major}.${version.Minor}"
# For alpha and beta builds use /main
cosign.exe `
verify-blob `
--certificate-identity $identity `
--signature "tofu_YOURVERSION_REPLACEME.sig" `
--certificate "tofu_YOURVERSION_REPLACEME.pem" `
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" `
"tofu_YOURVERSION_REPLACEME_SHA256SUMS"