Skip to content

Download the Agent

Download Files

To download the agent, follow these steps:

  1. Log into the Crux VPN web UI.
  2. Click the Downloads link in the footer.
  3. Click the name of the file to download.

The following files can be downloaded:

  • cruxvpn-agent-latest.tar.gz: The Linux agent tarball.
  • cruxvpn-agent-latest-win64.msi: The Windows agent MSI installer.
  • cruxvpn-agent-latest-amd64-oci.tar.bz2: The agent OCI image for Docker.

When downloaded, the word latest in the file name will be replaced with the actual version of the agent (for example, the file will be named cruxvpn-agent-1.2.3.tar.gz instead of cruxvpn-agent-latest.tar.gz).

Verify Signature

A .sigstore.json file can be downloaded for each file (eg cruxvpn-agent-1.2.3.tar.gz.sigstore.json). This is the Sigstore signature bundle for the file. Verifying this signature proves that the file was legitimately signed on a GitHub Actions runner by a workflow that was run from our private Crux VPN agent repository.

Using the GitHub CLI, you can verify a tarball with the following command:

gh attestation verify cruxvpn-agent-1.2.3.tar.gz \
    --repo crux-comms/cruxvpn-agent \
    --bundle cruxvpn-agent-1.2.3.tar.gz.sigstore.json

And you can verify an OCI image (after loading it via docker load) with the following command:

gh attestation verify oci://ghcr.io/crux-comms/cruxvpn-agent:1.2.3 \
    --repo crux-comms/cruxvpn-agent

Alternatively, you can use the Sigstore Cosign tool for verification. But first you have to export GitHub's "Internal Services Root" Sigstore CA metadata one time with the following command:

gh attestation trusted-root | tail -n1 > gh-internal-root.json

Tip

If you want to export the GitHub trusted root without installing the GitHub CLI, you can export it by running the GitHub CLI in a Docker container, like the following:

docker run --rm docker.io/maniator/gh attestation trusted-root | tail -n1 > gh-internal-root.json

You can then use that trusted root metadata to verify a tarball with the following Cosign command:

cosign verify-blob-attestation \
    --new-bundle-format \
    --private-infrastructure \
    --use-signed-timestamps \
    --insecure-ignore-sct \
    --trusted-root=gh-internal-root.json \
    --certificate-oidc-issuer=https://token.actions.githubusercontent.com  \
    --certificate-identity-regexp=^https://github.com/crux-comms/cruxvpn-agent/.+ \
    --bundle=cruxvpn-agent-1.2.3.tar.gz.sigstore.json \
    cruxvpn-agent-1.2.3.tar.gz

And you can verify a loaded OCI image with the following command:

cosign verify-attestation \
    --new-bundle-format \
    --private-infrastructure \
    --use-signed-timestamps \
    --insecure-ignore-sct \
    --trusted-root=gh-internal-root.json \
    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
    --certificate-identity-regexp=^https://github.com/crux-comms/cruxvpn-agent/.+ \
    --type https://slsa.dev/provenance/v1 \
    ghcr.io/crux-comms/cruxvpn-agent:1.2.3

To see futher details with the verify-attestation command, you can decode the payload content it prints out by using jq and tacking the following pipes onto this command:

cosign verify-attestation \
    ...
    ghcr.io/crux-comms/cruxvpn-agent:1.2.3 |
    tee | tail -n1 | jq -r '.payload' | base64 -d | jq .

Verify Checksum

A .sha256 file can also be downloaded for each file (eg cruxvpn-agent-1.2.3.tar.gz.sha256). This is the SHA-256 checksum of the file.

You can verify this checksum by running the sha256sum command on a Linux system like the following:

$ ls -1
cruxvpn-agent-1.2.3.tar.gz
cruxvpn-agent-1.2.3.tar.gz.sha256
$ sha256sum --check cruxvpn-agent-1.2.3.tar.gz.sha256
cruxvpn-agent-1.2.3.tar.gz: OK

Next Steps

Install the agent on a host.